These 15 popular banking apps secretly track you 24/7

How finance apps exploit permissions to gather personal data

Your banking app may be tracking more than your money—learn how to protect your personal data | ©Image Credit: Ajackus/Pixabay
Your banking app may be tracking more than your money—learn how to protect your personal data | ©Image Credit: Ajackus/Pixabay

Banking apps are designed to make managing money effortless, but new research reveals they may be doing far more behind the scenes than most users realize. Many of these finance tools exploit routine operating system permissions — from tracking your location and accessing contacts to monitoring which other apps you use — to quietly harvest a constant stream of personal data that extends well beyond your finances. They don’t just follow your transactions; they follow you, around the clock, turning what should be a security feature into a powerful surveillance weapon for advertisers and third parties. The real question is: how much are you giving away each time you tap “allow”?

Table of Contents show

Cybernews reveals the dark side of finance apps

Most users turn to finance apps for simple tasks — checking account balances, transferring money, or paying bills. But behind the convenience, many of these apps appear to be collecting far more than just financial information. To uncover the extent of this practice, researchers at Cybernews conducted a deep dive into the permissions these apps request.

The investigation began on August 6, when the Cybernews team pulled data from Google Play’s auto-generated list of “Top Free Finance Apps.” Out of 45 apps on the list, 44 were successfully downloaded directly from the Play Store using a third-party tool. From there, the researchers built custom scripts to analyze the apps’ AndroidManifest.xml files, extracting every permission declared by each application package.

This raw data was then cross-referenced with the Android Open Source Project (AOSP) to precisely categorize and identify two critical things: first, which permissions are considered “dangerous”—those giving access to sensitive data like location or microphone; and second, which permissions are automatically granted to the app without ever requiring the user’s explicit knowledge or consent.

What finance apps really do with your data?

The core finding of the research is that finance apps are doing much more than just managing your money; they are aggressively collecting your personal data to make money, often through advertising networks. This means they use data about your behavior to target you with ads.

For instance, almost three-quarters of the apps track which ads you click and what you do afterwards—whether you buy something or download another app—which is highly valuable to marketers as it helps them build a detailed profile of you and your shopping habits. Furthermore, most apps collect your device’s Advertising ID, a unique code that allows ad networks to recognize your phone and link your current activity to everything you’ve done in the past.

This data collection operates as a Black Box, creating a major problem due to a lack of transparency. It’s not clear where this sensitive information goes. The lack of weak privacy rules means it is unsettlingly possible that this data could be used to affect your credit score or reveal your income and spending habits to a wide range of third parties.

Beyond collecting data for ad networks, the research uncovered a widespread and concerning demand for “dangerous permissions” that have little to do with banking, significantly increasing user vulnerability. The most common invasive requests include Camera access (requested by 86% of apps) and Microphone access (61%), which, while not definitive proof of spying, dangerously widens the attack surface for hackers who could gain unauthorized surveillance capabilities. Furthermore, 77% of apps demand precise location tracking, with over a quarter requesting 24/7 background access even when the app is closed, creating a detailed log of your daily life. An additional 68% request Read/Write storage access, which could give a compromised app a window into your private photos and files.

This is compounded by a clear case of “permission creep,” as apps also request baffling, unrelated access to things like your network status, the ability to download files silently, or even your full list of installed applications and contacts/calendar, collectively exposing users to unnecessary data breach risks.

Top 15 finance apps asking for the most dangerous permissions

Out of the 44 finance apps analyzed, 15 stood out for requesting the highest number of dangerous permissions — ranging from camera and microphone access to precise location tracking. At the top is EarnIn with 14 risky permissions. Close behind are GEICO Mobile, Google Wallet, and Venmo, each collecting 13. Bank of America Mobile Banking and Cash App followed with 12, while Crypto.com, Kraken, and Wells Fargo Mobile each requested 11. Rounding out the list with 10 permissions apiece were Dave, Cleo AI, PayPal, Progressive, Robinhood, and State Farm.

  1. EarnIn (14)
  2. GEICO Mobile (13)
  3. Google Wallet (13
  4. Venmo (13)
  5. Bank of America Mobile Banking (12)
  6. Cash App (12)
  7. com (11)
  8. Kraken (11)
  9. Wells Fargo Mobile (11)
  10. Dave (10)
  11. Cleo AI (10)
  12. PayPal (10)
  13. Progressive (10)
  14. Robinhood (10)
  15. State Farm (10)

Why excessive app permissions are a major security risk

Giving an app more permissions than it needs is far from harmless—it’s an open invitation to two major risks. First is “function creep”: the polite access you gave for a single feature can be silently repurposed to harvest a wider range of data. Second is third-party exposure: your data is funneled to unseen brokers and analytics firms, each contributing to a detailed profile of your daily habits. With every additional organization that touches your information, the chances of leaks, misuse, or exploitation multiply.

The ultimate nightmare scenario is a data breach, which occurs more often than most people realize—for example, over two million U.S. accounts were compromised in the first half of 2025 alone. When a highly-permitted app is successfully breached, criminals gain a goldmine of information: your full name, contact list, travel history, and private calendar events. The wider the permissions you grant, the larger the hacker’s haul.

What can hackers do with this haul? The risks are personal and severe. Stolen details enable identity theft and sophisticated spear-phishing attacks designed to trick your friends and family. Leaked location data can transition to real-world danger through stalking or by helping criminals pinpoint the ideal time for a home burglary. If they manage to seize sensitive files, private camera images, or microphone recordings, they have powerful leverage for blackmail or extortion. Finally, some attackers may use doxxing—publicly exposing private information—to intimidate or shame victims. These specific threats are just the starting point; the full danger expands with the hacker’s skill and the sheer amount of sensitive data exposed.

How to protect yourself from apps’ excessive access

Here is a clear, actionable guide to securing your device:

  • Practice Least Privilege: Only grant an app the absolute minimum permissions required for its core function. If an app doesn’t need a specific permission, deny it.
  • Conduct a Digital Audit: Go through your installed apps and immediately revoke all unnecessary permissions (e.g., turning off microphone or camera access for a banking app).
  • Be Ruthless in Deletion: Delete any apps you no longer use, as they often continue to collect data on you silently in the background.
  • Scrutinize New Installs: Never blindly accept permission requests when installing a new app, even if you are in a rush. Question every piece of access it asks for.
  • Enable Automatic Updates: Keep your apps and operating system constantly updated, as these patches frequently contain critical security fixes for vulnerabilities that hackers could exploit.

Source: Cybernews