Comprehensive Analysis of the Android Google Play’s Auto-update Policy

Google Play provides a large Android application repository and the companion service application handles the initial installation and update processes. For the ease of management effort, a recent policy change by Google allows users to configure auto-update for installed applications based on permission groups, rather than individual permission. By analyzing the effects of the new auto-update policy on Android permission system with an emphasis on permission groups and protection levels, we find a new privilege escalation attack vector. Then 1200 Android applications are evaluated to identify potential privilege escalation candidates, and 1260 malware samples are investigated to study how the new attack vector could be utilized by the malware to increase the chance of distribution without users’ attention. Based on the evaluation results, we confirm that such new policy can be easily manipulated by malicious developers to gain high privileged permissions without users’ consent. It is highly recommended that users of the new auto-update feature carefully review permissions obtained after each update via global setting, or simply turn off the feature.