Comprehensive Analysis of the Android Google Play’s Auto-update Policy

  • Craig SandersEmail author
  • Ayush Shah
  • Shengzhi Zhang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9065)


Google Play provides a large Android application repository and the companion service application handles the initial installation and update processes. For the ease of management effort, a recent policy change by Google allows users to configure auto-update for installed applications based on permission groups, rather than individual permission. By analyzing the effects of the new auto-update policy on Android permission system with an emphasis on permission groups and protection levels, we find a new privilege escalation attack vector. Then 1200 Android applications are evaluated to identify potential privilege escalation candidates, and 1260 malware samples are investigated to study how the new attack vector could be utilized by the malware to increase the chance of distribution without users’ attention. Based on the evaluation results, we confirm that such new policy can be easily manipulated by malicious developers to gain high privileged permissions without users’ consent. It is highly recommended that users of the new auto-update feature carefully review permissions obtained after each update via global setting, or simply turn off the feature.


Android permission system privilege escalation Google Play’s auto-update 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Smartphone Users Worldwide Will Total 1.75 Billion in 2014 in Emarkerter,
  2. 2.
    Number of apps available in leading app stores as of July 2014 in Statista,
  3. 3.
    Prevelakis, V., Spinellis, D.: Sandboxing Applications. In: Proceedings of USENIX Annual Technical Conference, FREENIX Track (2001)Google Scholar
  4. 4.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android Permissions Demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (2011)Google Scholar
  5. 5.
    Zhang, Y., Yang, M., Xu, B., Yang, Z., Gu, G., Ning, P.: Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis. In: Proceedings of the 20th ACM Conference on Computer and Communications Security (2013)Google Scholar
  6. 6.
    David Barrera, H., Kayacik, G., van Oorschot, P.C., Somayaji, A.: A Methodology for Empiracal Analysis of Permission-based Security Models and its Application to Android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (2010)Google Scholar
  7. 7.
    Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: PScout: Analyzing the Android Permission Specification. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (2012)Google Scholar
  8. 8.
  9. 9.
  10. 10.
  11. 11.
    Shabtai, A., Fledel, Y., Elovici, Y.: Securing Android-Powered Mobile Devices Using SELinux. IEEE Security & Privacy 8(3), 36–44 (2010)CrossRefGoogle Scholar
  12. 12.
    Smalley, S., Craig, R.: Security Enhanced (SE) Android: Bringing Flexible MAC to Android. In: 20th Annual Network & Distributed System Security Symposium, NDSS (2013)Google Scholar
  13. 13.
  14. 14.
    Xing, L., Pan, X., Wang, R., Yuan, K., Wang, X.: Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating. In: Proceeding of IEEE Symposium on Security and Privacy (2014)Google Scholar
  15. 15.
    Zhou, Y., Jiang, X.: Dissecting Android Malware: Characterization and Evolution. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland 2012), San Francisco, CA (May 2012)Google Scholar
  16. 16.
    Fragkaki, E., Bauer, L., Jia, L., Swasey, D.: Modeling and Enhancing Android’s Permission System. In: Proceeding of the 17th European Symposium on Research in Computer Security (2012)Google Scholar
  17. 17.
    Bartel, A., Klein, J., Traon, Y.L., Monperrus, M.: Automatically securing permission-based software by reducing the attack surface: an application to Android. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (2012)Google Scholar
  18. 18.
    Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission Re-Delegation: Attacks and Defenses. In: USENIX Security Symposium (2011)Google Scholar
  19. 19.
    Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards Taming Privilege-Escalation Attacks on Android. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium (2012)Google Scholar
  20. 20.
    Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic Detection of Capability Leaks in Stock Android Smartphones. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium (2012)Google Scholar
  21. 21.
    Vidas, T., Votipka, D., Christin, N.: All your droid are belong to us: a survey of current android attacks. In: Proceeding of the 5th USENIX conference on Offensive technologies (2011)Google Scholar
  22. 22.
    Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A Survey of Mobile Malware in the Wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (2011)Google Scholar
  23. 23.
    android-apktool - A tool for reverse engineering Android apk files,

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Department of Computer Sciences and CybersecurityFlorida Institute of TechnologyMelbourneUSA

Personalised recommendations