Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Google Play store update means Android app permissions can be changed without consent

As part of a recent update to the Google Play store, Android users with automatic updates enabled are no longer required to review or accept permissions included in a permissions group already accepted for that app.

Not long after, a Reddit user set out to find exactly what that means, and how it could be exploited for nefarious purposes.

The Reddit user created an app, published it on the Play Store, and learned that permissions are divided into groups – and if you approve one you approve all.

The Reddit user then updated the app to a new version with additional permissions, including the ability to format the file system, make calls and send SMS messages without the user noticing.

After pushing the new version as an update, the Play Store accepted the new permissions without needing user approval.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.