As part of a recent update to the Google Play store, Android users with automatic updates enabled are no longer required to review or accept permissions included in a permissions group already accepted for that app.
Not long after, a Reddit user set out to find exactly what that means, and how it could be exploited for nefarious purposes.
The Reddit user created an app, published it on the Play Store, and learned that permissions are divided into groups – and if you approve one you approve all.
The Reddit user then updated the app to a new version with additional permissions, including the ability to format the file system, make calls and send SMS messages without the user noticing.
After pushing the new version as an update, the Play Store accepted the new permissions without needing user approval.