“New Play Store permission policy plays into the hands of malicious apps”

A recent policy change from the Google Play Store favors developers of rogue apps, a developer claims. After an update, for example, apps can suddenly send paid text messages without users noticing.

The developer, active on Reddit under the nick iamtubeman, has put it to the test by putting an app with relatively innocuous permissions in the Play Store and then updating it with many more permissions. The Play Store said no additional permission was required for the update, so it performed the update automatically.

The trick is made possible by a recent adjustment by Google to the way the Play Store handles permissions. Google has divided permissions into categories, such as location and identity. If an app has access to the Contacts and Calendar category, that app can be granted any permissions that fall into that category without new permission.

For example, if the app asks for permission to use the accounts on a device, it can also read all contacts and view the user’s calendar without permission. Since no new permission is needed, the Play Store will perform the update automatically by default. Even with that turned off, the Play Store states that no ‘additional special permissions’ are required, while the app does get many more permissions after the update.

This makes it possible for developers to first release an app with relatively harmless permissions and then perform an automatic update without much effort with many more permissions, for example to send paid text messages on behalf of the user. Google has not yet commented on the developer’s findings. The new policy has been in effect since last week.