Hey everyone,
I just need to get this off my chest and hear what others think, because it’s been bugging me for months now.
Back in December, my manager gave me a tablet as a “gift.” He told me I could take it home, install my own apps, all that. The next day, though, he asked me to install a company app on it (not from the Play Store, but through a link he sent me). The app is meant to scan QR codes at work sites and send reports to clients. Seems simple enough, right?
Later, I ran the APK through VirusTotal after I saw that it was asking for a bunch of sketchy permissions, way more than it should need for QR scanning and sending emails. Here’s what really caught my eye:
Microphone access (RECORD_AUDIO) – but the app has no voice features at all.
Camera – expected for QR scanning, but still worth noting when paired with mic access.
Call permissions (CALL_PHONE, PROCESS_OUTGOING_CALLS) – why would a QR app need to make or monitor calls?
Send SMS – again, makes no sense.
Read phone state – could be used to track calls and phone usage.
Permission to install other apps – major red flag.
Location tracking and access to storage – kind of expected these days, but still sketchy given the rest.
It gets better (or worse): when he gave me the tablet, he had me sign an equipment handover form saying the tablet still belongs to the company and I’d be responsible if it got damaged. Only after that did he tell me it’s for work use so yeah, not really a “gift.”
Then on May 9th, we moved to a newer version of the same app, but this one’s actually on the Play Store and doesn’t ask for any of those sketchy permissions no mic, no call access, nothing like that. That just makes the original one seem even more suspicious.
What really freaks me out is that my contract actually says the company can “plant a recording device” on me. At the time I didn’t think much of it, but now I’m wondering if this tablet was exactly that. I used to take it home all the time, and I vent a lot — especially about this specific manager. Now I’m wondering if I was being recorded without knowing.
So… am I just being paranoid, or does this actually sound like a legit concern? Would love to hear what others think — especially if you know a bit about Android app development, or even workplace tech policies.
Location: South Africa, Cape Town
Thanks!
Comments
if you value your privacy its….
>he had me sign an equipment handover form saying the tablet still belongs to the company
Sounds like you were given company equipment. Monitoring software is usually included with that and as far as I know the ECPA allows for that. It beeing hidden inside a QR scanning app is indeed scetchy tho.Use it for work and nothing else. Leave it at work or turn it off when you don’t use it.Edit: never mind, just read you are located in south africa.