Abstract
Google Play provides a large Android application repository and the companion service application handles the initial installation and update processes. For the ease of management effort, a recent policy change by Google allows users to configure auto-update for installed applications based on permission groups, rather than individual permission. By analyzing the effects of the new auto-update policy on Android permission system with an emphasis on permission groups and protection levels, we find a new privilege escalation attack vector. Then 1200 Android applications are evaluated to identify potential privilege escalation candidates, and 1260 malware samples are investigated to study how the new attack vector could be utilized by the malware to increase the chance of distribution without users’ attention. Based on the evaluation results, we confirm that such new policy can be easily manipulated by malicious developers to gain high privileged permissions without users’ consent. It is highly recommended that users of the new auto-update feature carefully review permissions obtained after each update via global setting, or simply turn off the feature.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Smartphone Users Worldwide Will Total 1.75 Billion in 2014 in Emarkerter, http://www.emarketer.com/Article/Smartphone-Users-Worldwide-Will-Total-175-Billion-2014/1010536 .
Number of apps available in leading app stores as of July 2014 in Statista, http://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores/
Prevelakis, V., Spinellis, D.: Sandboxing Applications. In: Proceedings of USENIX Annual Technical Conference, FREENIX Track (2001)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android Permissions Demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (2011)
Zhang, Y., Yang, M., Xu, B., Yang, Z., Gu, G., Ning, P.: Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis. In: Proceedings of the 20th ACM Conference on Computer and Communications Security (2013)
David Barrera, H., Kayacik, G., van Oorschot, P.C., Somayaji, A.: A Methodology for Empiracal Analysis of Permission-based Security Models and its Application to Android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (2010)
Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: PScout: Analyzing the Android Permission Specification. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (2012)
Android permission, http://developer.android.com/guide/topics/manifest/permission-element.html
Manifest.permission_group, http://developer.android.com/reference/android/Manifest.permission_group.html
Review App Permissions, https://support.google.com/googleplay/answer/6014972?hl=en
Shabtai, A., Fledel, Y., Elovici, Y.: Securing Android-Powered Mobile Devices Using SELinux. IEEE Security & Privacy 8(3), 36–44 (2010)
Smalley, S., Craig, R.: Security Enhanced (SE) Android: Bringing Flexible MAC to Android. In: 20th Annual Network & Distributed System Security Symposium, NDSS (2013)
Security-Enhanced Linux in Android, https://source.android.com/devices/tech/security/selinux/index.html
Xing, L., Pan, X., Wang, R., Yuan, K., Wang, X.: Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating. In: Proceeding of IEEE Symposium on Security and Privacy (2014)
Zhou, Y., Jiang, X.: Dissecting Android Malware: Characterization and Evolution. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland 2012), San Francisco, CA (May 2012)
Fragkaki, E., Bauer, L., Jia, L., Swasey, D.: Modeling and Enhancing Android’s Permission System. In: Proceeding of the 17th European Symposium on Research in Computer Security (2012)
Bartel, A., Klein, J., Traon, Y.L., Monperrus, M.: Automatically securing permission-based software by reducing the attack surface: an application to Android. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (2012)
Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission Re-Delegation: Attacks and Defenses. In: USENIX Security Symposium (2011)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards Taming Privilege-Escalation Attacks on Android. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium (2012)
Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic Detection of Capability Leaks in Stock Android Smartphones. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium (2012)
Vidas, T., Votipka, D., Christin, N.: All your droid are belong to us: a survey of current android attacks. In: Proceeding of the 5th USENIX conference on Offensive technologies (2011)
Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A Survey of Mobile Malware in the Wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (2011)
android-apktool - A tool for reverse engineering Android apk files, https://code.google.com/p/android-apktool/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Sanders, C., Shah, A., Zhang, S. (2015). Comprehensive Analysis of the Android Google Play’s Auto-update Policy. In: Lopez, J., Wu, Y. (eds) Information Security Practice and Experience. ISPEC 2015. Lecture Notes in Computer Science(), vol 9065. Springer, Cham. https://doi.org/10.1007/978-3-319-17533-1_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-17533-1_25
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17532-4
Online ISBN: 978-3-319-17533-1
eBook Packages: Computer ScienceComputer Science (R0)