Evasion of Google Play Protect Security Mechanisms Through Incremental Malicious Updates

Abstract

Android is a leading mobile Operating System (OS), and its market share is increasing drastically. Every Android device has a built-in service called Play Store for application distribution and updates. A malicious application distributed through the Google play store may create a privacy breach. In order to protect end-users, an in-depth security mechanism, namely Google Play Protect, has been deployed in the Google Play Store to safeguard Android devices from malicious applications. In this work, we have investigated the malicious application detection capabilities of the Google Play Protect by employing a novel attack based on incremental malicious updates, which circumvents the security afforded by Play Protect. Therefore, a seemingly benign application called Voice Search is designed and deployed on Play Store. The Voice Search application exploits Google Play Store permissions and bypasses users' privacy through malicious updates. After malicious updates are installed, the application collects the required data such as device details, location, contact information and exfiltrates it to the attacker's server. Results show that Google Play Protect is vulnerable to malicious incremental update attacks.