Google’s Android is the most popular mobile operating system for malware, an ecosystem “feature” criticized by many including Apple, which has took some shots at Google during its WWDC 2014 keynote for this particular problem. Even Google acknowledged that Android is more likely to be targeted by malware, but explained that’s simply because it’s the dominant mobile OS, and thus the obvious choice for malware developers.
In early June, Google released an update to its Google Play Store, bringing a new simplified app permission system to Android apps, among other features. What Google has done with app permission is to assign them to certain groups, likely for end-users to have an easier time dealing with app permissions.
But one Reddit user revealed that once a user approves an app’s permissions, the developer can then include additional permissions from that group in a future app update, and it will not trigger a prompt for users to re-approve the new permissions when the updated app is installed. This new feature could allow developers to add abilities to their apps, thus giving them access to various smartphone features and data without the user being explicitly informed about the changes.
Reddit user iamtubeman revealed that he quickly created a test Android application, which was approved in the Play Store. In a following update, he added more permissions, all from the same groups with the ones in the previous update.
“As you can see, some of these are really nasty,” he wrote, after listing the newly added permissions. For example the ability to format your filesystem or to make calls and send SMS without you noticing.”
“I pushed the new version as an update, and guess what? The Play app swallowed all these dangerous permissions and updated my app without question,” he added, providing before-and-after screenshots to prove it. In the past, app permission changes following an app update would have triggered a prompt for the user.
Following this revelation, Android Police has taken an in-depth look at the new permissions, agreeing that this new feature could allow malicious app developers to covertly add more permissions to their apps in the future, even though it’s not likely to actually affect anyone, especially those users who don’t pay attention to apps permissions in the first place.
Google has additional Play Store security measures in place that should help it prevent malicious app behavior, although it’s worth pointing out that recently, a few malicious apps have been discovered in the Play Store, having certain hidden capabilities that could allow them to turn Android devices into silent Bitcoin miners. While these are extreme cases, which are likely to be discovered and removed from the Play Store, there are always those apps that want to collect data about you without your knowledge for other commercial purposes which could take advantage of the new app permissions. After all, even before the app permissions update, one certain flashlight app managed to collect plenty of user data without consent, escaping without a fine after having been investigated for its alleged wrong-doings.