App Took Camera, Contacts, SMS, Location: What to Do

If you are short on time, jump to What to do in the next 30 minutes and the one page revoke checklist.

A 28 year old marketing executive in Bengaluru installed a “fast personal loan” app on a Sunday night. It asked for camera, contacts, SMS, and location. She tapped Allow. By Tuesday morning her cousin in Delhi got a WhatsApp message with her photo and the line “she is a loan defaulter, please tell her to pay”. She had not even taken the loan. She had only opened the app once.

This page is for that moment. Information on permissions is scattered across help pages from Google, Apple, RBI, MeitY, and a dozen consumer blogs. We bring it together: what each of the four permissions actually unlocks, why the combination of all four is the danger signal, how to revoke each one on Android and iPhone, when to uninstall, when to factory reset, when to walk into a cyber police station, and how the Digital Personal Data Protection Act 2023 gives you a clean legal route to demand the app delete every byte it copied.

Any single permission can be fine. A photo editor needs the camera. WhatsApp needs contacts. A bank app needs SMS for OTP autoread. A food delivery app needs location.

The danger is the combination. When one app asks for all four, especially at install time before you have done anything useful inside, three things become possible at once:

• Surveillance. Camera plus location lets the app see you and where you are.
• Identity capture. Contacts plus SMS lets it copy your social graph and intercept every OTP, every bank alert, every Aadhaar OTP, every UPI confirmation.
• Coercion. With contacts and photos, an unethical operator can reach your family, boss, and neighbours with edited messages within minutes.

This is exactly the playbook of illegal loan apps, flagged by RBI and MeitY under the Digital Lending Guidelines 2022 and IT Rules 2021. The same risk applies to fake astrology apps, “earn money” apps, romance scams, fake government scheme apps, and stalkerware sold as “child safety” or “spouse monitoring”. See also Fake app installed on phone and Email misused for loans, apps, deliveries.

Citizens often think a permission gives access only when the app is open. That is wrong. By default most permissions on Android are “While using the app” or “All the time” depending on what you tapped. On iPhone the choices are clearer, but defaults still leak more than people realise.

Camera permission lets the app open the front or rear camera while in the foreground, capture stills and video, and control flash and zoom. On older Android, some apps recorded without showing the in use indicator. iOS 14 and Android 12 added a green or orange dot in the status bar, but most people do not notice it. A loan app once approved can demand a “KYC selfie”, record video of your room, and store everything. A stalkerware app can be opened by background automation and capture the user's face.

Contacts permission lets the app read every name, phone number, email, and saved relationship in your phone, including nicknames like “Mummy” or “Boss” which make the list high signal. This is the single most weaponised permission in India. With your contact list a coercion operator can send WhatsApp to your father saying you are a defaulter, send a voice note to your spouse saying you are cheating, email your office HR saying you are a fraudster, and sell the list to other operators who repeat the cycle. There is no honest reason for a loan app, wallpaper app, or flashlight app to read your contacts.

SMS permission lets the app read every SMS in your inbox (including bank alerts from years ago), read every new SMS as it arrives (including OTPs), send SMS from your number, and mark messages as read so you never see them. This is the most dangerous permission for your bank account. With SMS read access an app can capture the OTP for a UPI transfer, a credit card transaction, an Aadhaar based eKYC, or a “forgot password” attempt on your email.

Google has tightened SMS permissions since 2019. On modern Android it is restricted to apps set as the default SMS handler, but many older devices and side loaded apps still get it the old way. iPhone has never given apps direct SMS read access, only an autofill suggestion when the user taps the OTP field. That is one big reason iPhones are slightly safer here.

Location permission lets the app know your precise GPS coordinates within about 5 metres outdoors, your approximate position from cell towers and Wi Fi, your movement history if you also gave background location, and your home and office (inferred from where you sleep and where you spend weekdays). Location plus camera plus contacts is the stalkerware combo. An abusive partner who installs a “family safety” app on a spouse's phone can pinpoint home, work, the doctor's clinic, and family visits. For loan harassment, location lets an operator say “we know you are at this address” and double the fear.

For a deeper civic context see Middle class traps every family should know and Citizen RTI playbook.

You do not need to be a security expert. These signs together are enough.

• Asked for camera, contacts, SMS, and location at install before you did anything useful inside.
• Fewer than 50,000 installs but suspiciously high ratings from very short reviews.
• Developer is a single individual or generic LLP you cannot find on MCA21.
• Privacy policy link goes to a free hosting site or a broken page.
• No longer on the Play Store but still installed on your phone (taken down after you installed it).
• Sends notifications at odd hours, shows ads when no other app is open, or drains battery and mobile data in the background.
• Friends or family receive messages from your number that you never sent.

A single sign is a flag. Three or more, act today.

Do these in order. Stop the bleeding first, then investigate.

1. Aeroplane mode for 60 seconds, then back on. Kills any active data leak in progress.
2. Open Settings, find the suspect app. Android: Settings, Apps, App list. iPhone: Settings, scroll to the app at the bottom.
3. Revoke all four permissions. Camera, Contacts, SMS (or Messages on iPhone), Location set to “Don't allow” or “Never”. Also revoke microphone, storage, phone, and any device admin rights.
4. Force stop the app. Android: same screen, Force Stop. iPhone: App Switcher, swipe up.
5. Disable notifications and background data on the same screen.
6. Check device admin and accessibility. Android: Settings, search “device admin apps” and “Accessibility”. Switch off anything you do not recognise. This is where loan apps and stalkerware hide.
7. Check default SMS app and dialer. If the suspect app is your default, change it back to Messages or your stock dialer.
8. Run Play Protect (Android) or check App Privacy Report (iPhone).
9. Change four passwords now. Primary email, banking app, UPI PIN, and any reused password. Use a different device if you have one.
10. Tell one trusted person. Short message: “ignore any strange message from me in the next 2 days, call me first”. Blocks coercion.
11. Take screenshots of the permission screen, install date, developer name, and any harassment received.

Only after these 11 steps should you uninstall, because uninstalling first sometimes removes the evidence you need.

Print or save this. Tick each box.

• [ ] Camera, Contacts, SMS, Location revoked
• [ ] Microphone, Storage or Photos, Phone revoked
• [ ] Device admin rights and accessibility service disabled
• [ ] Background data and notifications disabled
• [ ] Default SMS app and dialer reset
• [ ] Play Protect scan run (Android) or App Privacy Report checked (iPhone)
• [ ] Email, bank passwords changed and UPI PIN reset
• [ ] Trusted person told and screenshots saved
• [ ] App uninstalled, phone restarted
• [ ] Bank statement reviewed for 7 days

The exact menu varies slightly across Android 12, 13, 14, and 15, and across OEM skins like One UI on Samsung, MIUI or HyperOS on Xiaomi, ColorOS on Oppo, and OxygenOS on OnePlus. The structure is the same.

Settings, Apps, See all apps, tap the suspect app, Permissions. Tap each permission shown as “Allowed” and set to “Don't allow”. Back out, tap Mobile data and Wi Fi, switch off Background data. Back to the main app screen, Force stop.

Settings, Privacy, Permission manager. Tap Camera to see every app that has it, then revoke. Repeat for Contacts, SMS, Location, Microphone, Files and media, Phone, Calendar, and Body sensors. This is gold for periodic audits.

Android 11 and above auto reset permissions for apps you have not opened in a few months. In Settings, Apps, the suspect app, switch on “Remove permissions if app is unused”.

These two areas are where the worst apps hide. They are not in the normal permission list.

1. Settings, search “device admin apps”. Switch off any app you do not 100 percent recognise as your bank, employer MDM, or Find My Device.
2. Settings, Accessibility, Downloaded apps or Installed services. Switch off anything you did not consciously enable. Many loan apps and screen recorders abuse accessibility to read your screen.

Settings, Apps, three dot menu, Reset app preferences. Does not delete apps or data; only resets default apps, notifications, background data restrictions, and disabled apps. You will be reprompted for permissions as you use each app.

iOS is more contained than Android, but the basics are the same.

Settings, scroll to the suspect app name. You will see toggles for Location, Contacts, Microphone, Camera, Photos, Tracking, Cellular Data, Background App Refresh, and Notifications. Switch off every one you do not actively need.

Settings, Privacy and Security. Tap Camera to see every app that requested it. Switch off the ones you do not want. Repeat for Contacts, Microphone, Photos, Location Services, Motion and Fitness, Bluetooth, Local Network, and Tracking.

In Privacy and Security, Location Services, set each app to “While Using” or “Never”. Avoid “Always” except for genuine navigation apps. Open “System Services” at the bottom and clear “Significant Locations” if not needed. In Privacy and Security, Tracking, switch off “Allow Apps to Request to Track” for a blanket ban, or review the list and deny each suspicious app.

This is the most underused safety feature on iPhone. It shows which sensors and data sources each app touched in the last week. Settings, Privacy and Security, App Privacy Report. Turn it on, wait a week, then open and review. You will see which apps accessed your photos, contacts, location, camera, and microphone at 3 am.

If you cannot find a setting, Settings, General, Transfer or Reset iPhone, Reset All Settings is the nuclear option short of erase. It does not delete photos or apps; it resets Wi Fi passwords, VPNs, and privacy decisions, so you will be reprompted by each app.

Most apps you can simply uninstall after revoking permissions. Some need stronger treatment.

• Just uninstall for wallpaper, flashlight, photo editor, or free game apps that asked for too much. Revoke, uninstall, move on.
• Uninstall plus password reset for loan apps you tried but did not borrow from. Reset email, bank, and UPI before you uninstall.
• Uninstall plus factory reset for any app you suspect installed itself silently, any APK from a WhatsApp link or side load, any app that gained device admin or accessibility, or any app installed by someone else who briefly had your phone.

Factory reset workflow for Android: back up Google Drive, photos, WhatsApp, then Settings, System, Reset, Erase all data. After reset, reinstall apps one by one from the Play Store, do not restore the full backup blindly. For iPhone: Settings, General, Transfer or Reset iPhone, Erase All Content and Settings. Restore from an iCloud backup taken before the suspect app was installed, if possible.

Signs you must factory reset: bank money moved without approval, SMS or call logs you did not make, family already got coercion messages, the app gained device admin or accessibility, or the camera or microphone indicator stays on when no app is open. For phone level cleanup see also Fake app installed on phone: removal and bank safety.

If money is missing, family has been contacted, or you plan a cyber complaint, gather this before you uninstall.

• Screenshot of the app icon on the home screen and its store listing page (search by name if removed).
• Screenshot of the permission list under Settings, with each state visible.
• Screenshot of the install date, developer name and contact email, and privacy policy URL.
• Screenshot of any WhatsApp, SMS, or email harassment received by your contacts.
• Bank statement PDF and UPI app history for the last 7 days.
• Email login activity from Gmail Security or Apple ID, showing any unknown device.
• APK file if you side loaded (do not open, just keep).
• Note your phone model, OS version, and IMEI.

Store everything in one folder on a different device or cloud drive, not only on the affected phone.

There are five doors and you can knock on more than one in parallel.

If the app came from an official store, report it there. Play Store: app listing, three dot menu, “Flag as inappropriate”, pick the best fit. App Store: app page, “Ratings and Reviews”, “Report a Problem”, or reportaproblem.apple.com. Keep the email confirmation.

The Ministry of Electronics and IT runs the National Cyber Crime Reporting Portal at cybercrime.gov.in. Choose “Report Financial Fraud” if money has moved, else “Report Other Cybercrime” under “Online Cyber Trafficking” or similar category. Attach your evidence pack and note the complaint number. For the financial side see Bank freeze in cyber fraud cases and 1930 helpline call script.

If money has been debited or you fear it will be, dial 1930 within the first hour if possible. Read the call script in our 1930 helpline guide before you dial. Note the acknowledgement number.

For unauthorised lending apps and digital lending abuse, file at sachet.rbi.org.in. Quote the RBI Digital Lending Guidelines 2022, which restrict regulated lenders to only what is necessary for the loan, with explicit consent, and forbid contact list and gallery access.

The DPDP Act 2023 gives you direct rights as a Data Principal: withdraw consent under §6(4) and §6(6); erasure under §12; grievance redressal under §13 (every Data Fiduciary must publish a grievance officer's contact). If unsatisfactory within 30 days, complain to the Data Protection Board under §27. Send your withdrawal in writing (email is fine). Template below.

For account level recovery see Locked out of Google, Apple, Meta or Microsoft accounts: recovery.

Most cases close at the store and portal level. But escalate to local cyber cell or a police station when any of these are true.

• Money has been debited from your bank or UPI without your approval.
• Your contacts have received coercion messages with your photo or voice.
• Edited or obscene images have been circulated.
• The app threatens you, your family, or your workplace.
• The app demands further payment (“processing fee”, “unlock fee”) to stop harassment.
• Your identity documents (Aadhaar, PAN) have appeared in any new loan or KYC you did not apply for.

Walk into the cyber police station of your district with the evidence pack. Ask for an FIR under the relevant sections of the Bharatiya Nyaya Sanhita 2023 (BNS) such as cheating, criminal intimidation, and forgery as applicable, read with the Information Technology Act 2000 §66 to §66D and §67. The procedure follows the Bharatiya Nagarik Suraksha Sanhita 2023 (BNSS), which replaced the old CrPC.

If the cyber police are unresponsive, escalate to the Superintendent of Police, then to the State Cyber Crime Wing, then file a writ under Article 226 in the High Court if a serious right is at stake. For a structured citizen advocacy path see Citizen RTI playbook.

Use this template. Adapt the bracketed parts. Send it from the email you used to sign up. Copy the grievance officer (if listed), the app's general support email, the Play Store developer email, and yourself.

Subject: Withdrawal of consent under DPDP Act 2023 and request for data deletion - [app name] - [your phone number]

To,
The Grievance Officer
[App name and developer entity]

Sir or Madam,

I am a Data Principal under the Digital Personal Data Protection Act 2023. I installed your app [app name] on [date] using mobile [+91 xxxxx xxxxx] and email [your email]. At install I granted camera, contacts, SMS, and location permissions.

1. I withdraw my consent under section 6(4) and 6(6) of the DPDP Act 2023, with immediate effect, for all processing of my personal data, including data accessed through camera, contacts, SMS, and location.

2. I exercise my right to erasure under section 12. Please delete all my personal data, including contact list, SMS metadata, photographs, videos, location history, device identifiers, and any derived data, within the timelines prescribed under law.

3. I exercise my right to information under section 11. Please confirm in writing what categories of my data you collected, processed, and shared with any third party, including debt collection agents, marketing partners, and affiliate apps.

4. I require written confirmation of deletion within 30 days, signed by your Data Protection or Grievance Officer.

If the response is unsatisfactory, I will complain to the Data Protection Board of India under section 27, and pursue remedies under the IT Rules 2021 and the IT Act 2000.

Please also stop contacting any number from my contact list. Any further contact with my contacts will be treated as criminal intimidation under the BNS 2023 and reported to the cyber police.

Yours,
[Your name]
[Phone] | [Email] | [City] | [Date]

Send this even after uninstalling. The withdrawal and deletion rights exist regardless of whether the app is still on your phone.

The DPDP Act 2023 is India's first standalone data protection law. A few simple principles, each one a hook for your case.

• Purpose limitation. A Data Fiduciary (the app company) can collect personal data only for a specific, lawful purpose stated to you. A wallpaper app has no lawful purpose to read your SMS. A flashlight app has no lawful purpose to copy your contacts.
• Data minimisation. The app must collect only what is necessary. Asking for the full contact book “for KYC” or “for credit score” is not minimisation. The RBI Digital Lending Guidelines 2022 make this explicit for lenders.
• Consent. Must be free, specific, informed, unconditional, and unambiguous. Pre ticked boxes, bundled consent, and SMS read access buried in a 20 page T and C are not consent.
• Right to withdraw. Sections 6(4) and 6(6) say you can withdraw consent any time, and the ease of withdrawal must match the ease of giving it. One tap in, one tap or one short email out.
• Grievance redressal. Section 13 requires every Data Fiduciary to publish a grievance officer contact and respond within a reasonable period.
• Data Protection Board. Section 27 creates the Board. You can complain directly if your grievance is ignored.
• Penalties. Schedule 1 lists penalties up to several hundred crore rupees for failures to protect personal data and for non compliance with Board directions. This is the financial teeth of the law.

For broader RTI based advocacy, our Citizen RTI playbook shows how to file parallel RTIs to MeitY, RBI, and TRAI to push slow grievances forward.

Two months ago a college student in Indore installed a “free wifi finder” app that asked for camera, contacts, SMS, location, microphone, and storage. He tapped Allow on all. The app worked for one day and crashed. Three weeks later his mother received a WhatsApp message saying he had taken a loan of fifteen thousand rupees and was not paying. The number was Indian, the display picture was his face, and he had never taken a loan in his life.

In one evening he revoked all permissions, force stopped the app, took screenshots of the permission screen and install date, sent the DPDP withdrawal template above, filed on cybercrime.gov.in under “Online Cyber Trafficking”, filed on RBI Sachet, reported the app on Google Play, reset Gmail and Paytm passwords, uninstalled, and sent one WhatsApp note to family asking them to ignore loan related messages from him for the next month. Harassment stopped within four days. He did not have to visit a police station but kept his evidence pack ready.

The Indore example is a composite built from several real cases handled by community helpers, with details changed. The pattern is very common across small cities and college campuses.

• Uninstalling first. Deletes permission evidence and install date trace. Screenshot first.
• Paying the “unlock fee”. Treat it like ransom; every rupee invites more.
• Telling no one. Silence helps the harasser. Tell at least one family member and one friend.
• Posting publicly on social media. A calm note to family is fine; a public X post may invite more scammers.
• Reusing the same password elsewhere. Reset every login that shared the breached credentials.
• Not checking other devices. Sign out of all sessions on Gmail Security and Apple ID.
• Skipping the bank step. Even if no money is gone yet, watch the statement for 30 days.
• Trusting “recovery agents” on Telegram or Instagram. Same scammers, second hat. Use only 1930 and cybercrime.gov.in.

No. Revoking stops further access from this moment. To force deletion of what was already copied, invoke your DPDP Act §12 erasure right by writing to the app, as in the sample template above.

Uninstall removes the app from your phone but not the copy of your contacts or SMS already on the app's servers. Always send the consent withdrawal and erasure request even after uninstalling.

Strong sign of a background process or hidden app with accessibility access. Reboot, check accessibility services and device admin apps, run Play Protect, and factory reset if it continues. On iPhone, check App Privacy Report and reset all settings.

A modern flashlight app from a known publisher cannot. A side loaded APK pretending to be one can request SMS at install on older Android or trick you with a fake “verify your number” prompt. Always install from the Play Store and read permissions.

Some are, some are not. Trust only RBI regulated lenders or their authorised partners, and even those should not ask for full contacts or gallery access. Cross check the lender name against the RBI list before borrowing. See Bank freeze in cyber fraud cases.

No. Bank OTP autofill on Android needs SMS permission for the bank app or messaging app. Reinstate it only for trusted apps such as your bank app and your default messaging app. Keep it revoked for everything else.

Often yes. The cyber cell can request CDR and bank trails. Many recoveries happen because the harasser reused the same UPI ID across cases. Give the cyber cell the harassment messages, the app name, and the bank account if money was demanded.

Yes. Section 3 covers processing of personal data of Data Principals in India even if processing happens abroad, when connected with offering goods or services to people in India. Foreign loan apps marketing to Indians are covered.

You can still revoke permissions. You may not be able to uninstall a system app but you can usually disable it: Settings, Apps, the app, Disable. If OEM bundled stalkerware came preinstalled, raise a consumer complaint as well.

Yes. The right to withdraw consent and the right to erasure are not time barred at the citizen end. As long as the Fiduciary holds your personal data, you can withdraw consent and ask for erasure.

Schools and parents have a legitimate interest. Review the same way: which permissions, what data leaves the device, where it is stored, what the grievance officer contact is. DPDP Act 2023 §9 has special protections for children's data.

The 10 FAQs above are written in plain question and answer form, each as `==== Q ====` H3 headings. They are eligible for FAQPage JSON LD. The site wide schema generator at `/_assets/schema-auto.js` v2 picks up `==== Q ====` blocks and emits FAQPage automatically. Do not add inline `<HTML><script type=“application/ld+json”>` blocks here, as those render as visible code on this DokuWiki, per earlier site experience.

• Digital Personal Data Protection Act 2023, sections 3, 6(4), 6(6), 9, 11, 12, 13, 27, and Schedule 1.
• Information Technology Act 2000, sections 43A, 66, 66C, 66D, 67, 72A.
• IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, especially rule 3 on intermediary due diligence and rule 4 on significant social media intermediaries.
• Bharatiya Nyaya Sanhita 2023 (BNS), the criminal code that replaced the IPC in 2024, for cheating and criminal intimidation.
• Bharatiya Nagarik Suraksha Sanhita 2023 (BNSS), the procedure code that replaced the CrPC in 2024.
• RBI “Guidelines on Digital Lending”, 2 September 2022, and subsequent circulars.
• Google Play Developer Policy Center, “Permissions and APIs that Access Sensitive Information” and “User Data”.
• Apple App Store Review Guidelines, section 5.1 “Privacy”, and the App Tracking Transparency documentation.
• CERT-In advisories on Android malware and lending app abuse.
• MeitY and MyGov consultations on data protection and digital lending.
• National Cyber Crime Reporting Portal at cybercrime.gov.in and RBI Sachet at sachet.rbi.org.in.

• Fake app installed on phone: removal and bank safety
• 1930 helpline call script for cyber fraud
• Bank freeze in cyber fraud cases
• Email misused for loans, apps, and deliveries
• Locked out of Google, Apple, Meta or Microsoft accounts
• Citizen RTI playbook
• Middle class traps every family should know

For the social card, generate a 1200×630 image. Prompt:

“A modern Indian smartphone in a calm hand, screen showing four glowing permission toggles labelled Camera, Contacts, SMS, Location, all being switched off. Background a softly blurred Indian middle class living room at dusk with warm light. No human face. No brand logos. Mood is calm and reassuring, not alarming. Flat illustration style, soft Indian colour palette of saffron, teal, and cream. 1200 by 630 aspect, no text overlay.”

The page title should not be burned into the image. The OG generator at the site level will overlay the title automatically.

Reviewed every quarter and after any major change to DPDP Act 2023 rules, RBI Digital Lending Guidelines, or Play and App Store policies.