{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,4]],"date-time":"2026-03-04T16:17:21Z","timestamp":1772641041668,"version":"3.50.1"},"reference-count":60,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2025,8,1]],"date-time":"2025-08-01T00:00:00Z","timestamp":1754006400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,8,1]],"date-time":"2025-08-01T00:00:00Z","timestamp":1754006400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100002386","name":"Cairo University","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100002386","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Autom Softw Eng"],"published-print":{"date-parts":[[2025,11]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>Android\u2019s most widely used smartphone OS has several inter-app communication options, such as broadcast receivers, intents, content providers, and objectives. Even though the Android permission system restricts access and safeguards user data, security flaws allow malicious apps to abuse permission systems. Higher-order privilege escalation, where apps cooperate to circumvent security limitations throughout several phases, is a key vulnerability in this ecosystem. This paper presents a new method for n-order case analysis to find undetectable privilege escalations. Our approach systematically identifies multi-stage permission escalations via automated test case generation and stationary analysis. Unlike current methods emphasizing direct permission misuse, our approach analyzes escalation chains across many app interactions and uncovered 52,982 instances of fourth-order privilege escalation that went unnoticed when just first-order transitions were examined. Furthermore, our findings show an important distinction: benign programs gradually gain greater permissions through escalation chains, whereas malignant apps request excessively high upfront rights. This difference emphasizes the necessity of better permission management techniques to reduce the serious risk associated with rising higher-order privilege escalations, which are generally disregarded by current detection systems. Therefore, our method fulfills the need for a more scalable detection technique to address this challenging security concern in Android ecosystem.<\/jats:p>","DOI":"10.1007\/s10515-025-00542-4","type":"journal-article","created":{"date-parts":[[2025,8,1]],"date-time":"2025-08-01T04:32:54Z","timestamp":1754022774000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Detection of hidden privilege escalations in android"],"prefix":"10.1007","volume":"32","author":[{"given":"Mohamed A.","family":"El-Zawawy","sequence":"first","affiliation":[]},{"given":"Aya","family":"Hamdy","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,8,1]]},"reference":[{"key":"542_CR1","doi-asserted-by":"crossref","unstructured":"Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: Mining API-level features for robust malware detection in Android. In Proc. 9th Int. Conf. Security and Privacy in Communication Networks (SecureComm), pp. 86\u2013103, (2013)","DOI":"10.1007\/978-3-319-04283-1_6"},{"key":"542_CR2","doi-asserted-by":"crossref","unstructured":"Allix, K., et al.: Androzoo: Collecting millions of android apps for the research community. In Proceedings of the 13th international conference on mining software repositories. pp. 468\u2013471, (2016)","DOI":"10.1145\/2901739.2903508"},{"key":"542_CR3","doi-asserted-by":"publisher","unstructured":"Amalfitano, D., Fasolino, A.R., Tramontana, P., De Carmine, S., Memon, A.M.: Using GUI Ripping for Automated Testing of Android Applications. In Proceedings of the 27th IEEE\/ACM International Conference on Automated Software Engineering (ASE 2012), pp. 258\u2013261, (2012). ACM, New York, NY, USA. https:\/\/doi.org\/10.1145\/2351676.2351717","DOI":"10.1145\/2351676.2351717"},{"key":"542_CR4","doi-asserted-by":"crossref","unstructured":"Amalfitano, D., Fasolino, A.R., Tramontana, P.: A GUI crawling-based technique for Android mobile application testing. In 2011 IEEE Fourth International Conference on Software Testing, Verification, and Validation Workshops, pp. 252\u2013261, (2011). IEEE","DOI":"10.1109\/ICSTW.2011.77"},{"key":"542_CR5","unstructured":"Androguard Team.: Androguard: Reverse Engineering and Analysis of Android Applications. Version 3.4.0, (2024). https:\/\/github.com\/androguard\/androguard"},{"key":"542_CR6","unstructured":"Android Developer Documentation. Intents and Intent Filters. https:\/\/developer.android.com\/guide\/components\/intents-filters Accessed: 31-May-2025"},{"key":"542_CR7","unstructured":"Android Developers.: Android Developers Guide (2020). https:\/\/developer.android.com\/guide\/components\/fundamentals. Accessed: 30-May-2025"},{"key":"542_CR8","unstructured":"Android Developers.: Permissions overview (2023). https:\/\/developer.android.com\/guide\/topics\/permissions\/overview"},{"key":"542_CR9","doi-asserted-by":"crossref","unstructured":"Arp, D., Spreitzenbarth, M., Huebner, M., Gascon, H., Rieck, K.: DREBIN: Effective and explainable de- tection of Android malware in your pocket. In Proc. 21st Annu. Network and Distributed System Security Symp. (NDSS), (2014)","DOI":"10.14722\/ndss.2014.23247"},{"issue":"6","key":"542_CR10","doi-asserted-by":"publisher","first-page":"259","DOI":"10.1145\/2666356.2594299","volume":"49","author":"S Arzt","year":"2014","unstructured":"Arzt, S., et al.: Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM Sigplan Notices 49(6), 259\u2013269 (2014)","journal-title":"ACM Sigplan Notices"},{"key":"542_CR11","doi-asserted-by":"crossref","unstructured":"Au, K., et al.: PScout: Analyzing the Android Permission Model. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS), pp. 217\u2013228, (2012)","DOI":"10.1145\/2382196.2382222"},{"issue":"9","key":"542_CR12","doi-asserted-by":"publisher","first-page":"866","DOI":"10.1109\/TSE.2015.2419611","volume":"41","author":"H Bagheri","year":"2015","unstructured":"Bagheri, H., et al.: Covert: Compositional analysis of android inter-app permission leakage. IEEE Trans. Softw. Eng. 41(9), 866\u2013886 (2015)","journal-title":"IEEE Trans. Softw. Eng."},{"key":"542_CR13","doi-asserted-by":"publisher","unstructured":"Barrera, E., et al.: A methodology for defending Android applications against permission-based attacks. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), pp. 319\u2013328, (2010). https:\/\/doi.org\/10.1109\/ACSAC.2010.55","DOI":"10.1109\/ACSAC.2010.55"},{"key":"542_CR14","doi-asserted-by":"publisher","unstructured":"Biskup, J., et al.: Kirin: A Tool for Detecting Permission Misuse in Android Applications. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), pp. 439\u2013448, (2010). https:\/\/doi.org\/10.1109\/ACSAC.2010.60.","DOI":"10.1109\/ACSAC.2010.60."},{"issue":"1","key":"542_CR15","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1023\/A:1010933404324","volume":"45","author":"L Breiman","year":"2001","unstructured":"Breiman, L.: Random Forests. Mach. Learn. 45(1), 5\u201332 (2001)","journal-title":"Mach. Learn."},{"key":"542_CR16","unstructured":"BuildFire.: App Statistics 2023, (2023). https:\/\/buildfire.com\/ app-statistics\/. Accessed: 30-May-2025"},{"key":"542_CR17","doi-asserted-by":"crossref","unstructured":"Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in An- droid. In Proc. 9th Int. Conf. Mobile Systems, Applications, and Services (MobiSys), pp. 239\u2013252, (2011)","DOI":"10.1145\/1999995.2000018"},{"key":"542_CR18","doi-asserted-by":"crossref","unstructured":"Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: Proc. 9th Int. Conf. Mobile Syst., Appl., Services, pp. 239\u2013252, (2011)","DOI":"10.1145\/1999995.2000018"},{"key":"542_CR19","doi-asserted-by":"publisher","first-page":"98","DOI":"10.1016\/j.cose.2017.04.002","volume":"68","author":"T Dai","year":"2017","unstructured":"Dai, T., et al.: Roppdroid: Robust permission re-delegation prevention in android inter-component communication. Comput. Secur. 68, 98\u2013111 (2017)","journal-title":"Comput. Secur."},{"key":"542_CR20","unstructured":"Davi, L., et al.: Privilege escalation attacks on android. In Information Security: 13th International Conference, ISC 2010, Boca Raton, FL, USA, October 25-28, 2010, Revised Selected Papers 13, pp. 346\u2013360, (2011). Springer"},{"key":"542_CR21","doi-asserted-by":"crossref","unstructured":"Demissie, B.F., Ceccato, M., Shar, L.K.: Anflo: Detecting anomalous sensitive information flows in android apps. In Proc. 5th Int. Conf. Mobile Softw. Eng. Syst., pp. 24\u201334, (2018)","DOI":"10.1145\/3197231.3197238"},{"key":"542_CR22","doi-asserted-by":"crossref","unstructured":"Demissie, B.F., Ceccato, M.: Security testing of second order permission re-delegation vulnerabilities in android apps. In Proceedings of the IEEE\/ACM 7th International Conference on Mobile Software Engineering and Systems. pp. 1\u201311, (2020)","DOI":"10.1145\/3387905.3388592"},{"key":"542_CR23","doi-asserted-by":"crossref","unstructured":"Demissie, B.F., Ghio, D., Ceccato, M., Avancini, A.: Identifying android inter app communication vulnerabilities using static and dynamic analysis. In: Proc. Int. Conf. Mobile Softw. Eng. Syst., pp. 255\u2013266, (2016)","DOI":"10.1145\/2897073.2897082"},{"key":"542_CR24","first-page":"3","volume":"31","author":"M Dietz","year":"2011","unstructured":"Dietz, M., et al.: Quire: Lightweight provenance for smart phone operating systems. USENIX Secur. Symp. 31, 3 (2011)","journal-title":"USENIX Secur. Symp."},{"key":"542_CR25","unstructured":"Elish, K.O., Yao, D., Ryder, B.G.: On the need of precise inter-app ICC classification for detecting Android malware collusions. In: Proceedings of IEEE mobile security technologies (MoST), in conjunction with the IEEE symposium on security and privacy, (2015)"},{"key":"542_CR26","doi-asserted-by":"publisher","unstructured":"El-Zawawy, M.A.: Detection of Hidden Privilege Escalations in Android, (2025). https:\/\/doi.org\/10.5281\/zenodo.15554469","DOI":"10.5281\/zenodo.15554469"},{"issue":"2","key":"542_CR27","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/2619091","volume":"32","author":"W Enck","year":"2014","unstructured":"Enck, W., et al.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2), 1\u201329 (2014)","journal-title":"ACM Trans. Comput. Syst."},{"key":"542_CR28","doi-asserted-by":"crossref","unstructured":"Felt, A., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In Proc. 18th ACM Conf. Computer and Communications Security (CCS), pp. 627\u2013638, (2011)","DOI":"10.1145\/2046707.2046779"},{"key":"542_CR29","doi-asserted-by":"crossref","unstructured":"Felt, A., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions: User attention, comprehen- sion, and behavior. In Proc. 8th Symp. Usable Privacy and Security (SOUPS), pp. 1\u201314, (2012)","DOI":"10.1145\/2335356.2335360"},{"key":"542_CR30","doi-asserted-by":"publisher","unstructured":"Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Stowaway: A Static Analyzer for Detecting Insecure Data Transmission in Android Applications. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), pp. 50\u201361, (2011). https:\/\/doi.org\/10.1145\/2046707.2046713.","DOI":"10.1145\/2046707.2046713."},{"key":"542_CR31","first-page":"88","volume":"30","author":"AP Felt","year":"2011","unstructured":"Felt, A.P., et al.: Permission re-delegation: Attacks and defenses. USENIX Secur. Symp. 30, 88 (2011)","journal-title":"USENIX Secur. Symp."},{"key":"542_CR32","unstructured":"Ghafari, M., Gadient, P., Nierstrasz, O.: Security Smells in Android. arXiv:2006.01181 (2020)"},{"key":"542_CR33","doi-asserted-by":"crossref","unstructured":"Gibler, C., Crussell, J. Erickson, J., Chen, H.: Androidleaks: Automatically detecting potential privacy leaks in android applications on a large scal. In Trust and Trustworthy Computing, pp. 291\u2013307, (2012)","DOI":"10.1007\/978-3-642-30921-2_17"},{"key":"542_CR34","unstructured":"Gorski III, S.A., et al.: FReD: Identifying file Re-Delegation in android system services. In 31st USENIX Security Symposium (USENIX Security 22). pp. 1525\u20131542, (2022)"},{"key":"542_CR35","unstructured":"Grace, M.C., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock android smartphones. In Proc. NDSS, p. 19, (2012)"},{"key":"542_CR36","unstructured":"Harris, C.R. et al.: NumPy: Array Programming with Python. Version 1.26.0, (2020). https:\/\/numpy.org"},{"key":"542_CR37","doi-asserted-by":"crossref","unstructured":"Hosmer, D.W., Lemeshow, S., Sturdivant, R.X.: Applied Logistic Regression, 3rd ed., Wiley, (2013)","DOI":"10.1002\/9781118548387"},{"key":"542_CR38","doi-asserted-by":"publisher","unstructured":"Hu, C., Neamtiu, I.: Automating GUI Testing for Android Applications. In: Proceedings of the 6th International Workshop on Automation of Software Testing (AST \u201911), pp. 77\u201383, (2011). ACM, New York, NY, USA. https:\/\/doi.org\/10.1145\/1982595.1982612","DOI":"10.1145\/1982595.1982612"},{"key":"542_CR39","unstructured":"Jiang, Y.Z.X., Xuxian, Z.: Detecting passive content leaks and pollution in android applications. In Proceedings of the 20th Network and Distributed System Security Symposium (NDSS), (2013)"},{"key":"542_CR40","doi-asserted-by":"crossref","unstructured":"Klieber, W., Flynn, L., Bhosale, A., Jia, L., Bauer, L.: Android taint flow analysis for app sets. In Proc. 3rd ACM SIGPLAN Int. Workshop State Art Java Program Anal., pp. 1\u20136, (2014)","DOI":"10.1145\/2614628.2614633"},{"key":"542_CR41","unstructured":"Kohavi, R.: A Study of Cross-Validation and Bootstrap for Accuracy Estimation and Model Selection. In Proc. 14th Int. Joint Conf. Artificial Intelligence (IJCAI), pp. 1137\u20131145, (1995)"},{"key":"542_CR42","doi-asserted-by":"crossref","unstructured":"Li, L., et al.: Iccta: Detecting inter-component privacy leaks in Android apps. In 2015 IEEE\/ACM 37th IEEE International Conference on Software Engineering. vol. 1, pp. 280\u2013291, (2015). IEEE","DOI":"10.1109\/ICSE.2015.48"},{"key":"542_CR43","unstructured":"Localytics.: App Launch Stats: 23% of users abandon an app after one use, (2016). https:\/\/www.fierce-network.com\/developer\/localytics-a-quarter-downloaded-apps-used-only-once. Accessed: 30-May-2025"},{"issue":"1","key":"542_CR44","doi-asserted-by":"publisher","first-page":"14","DOI":"10.1002\/widm.8","volume":"1","author":"W-Y Loh","year":"2011","unstructured":"Loh, W.-Y.: Classification and regression trees. Wiley Interdisc. Rev. Data Min. Knowl. Disc. 1(1), 14\u201323 (2011)","journal-title":"Wiley Interdisc. Rev. Data Min. Knowl. Disc."},{"key":"542_CR45","doi-asserted-by":"crossref","unstructured":"Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In Proc. 2012 ACM Conf. Comput. Commun. Secur., pp.229\u2013240 (2012)","DOI":"10.1145\/2382196.2382223"},{"key":"542_CR46","doi-asserted-by":"crossref","unstructured":"Mann, C., Starostin, A.: A framework for static detection of privacy leaks in android applications. In Proc. 27th Annu. ACM Symp. Appl. Comput., pp. 1457\u20131462, (2012)","DOI":"10.1145\/2245276.2232009"},{"key":"542_CR47","doi-asserted-by":"crossref","unstructured":"Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM symposium on information, computer and communications security. pp. 328\u2013332, (2010)","DOI":"10.1145\/1755688.1755732"},{"key":"542_CR48","unstructured":"Octeau, D., et al.: Effective Inter-Component communication mapping in android: An essential step towards holistic security analysis. In 22nd USENIX Security Symposium (USENIX Security 13), (2013)"},{"key":"542_CR49","unstructured":"Octeau, D. et al.: Effective inter-component communication mapping in android: An essential step towards holistic security analysis. In Proc. 22nd USENIX Secur. Symp., pp. 543\u2013558, (2013)"},{"key":"542_CR50","unstructured":"Pandas Development Team.: Pandas: Python Data Analysis Library. Version 2.1.0, (2024). https:\/\/pandas.pydata.org"},{"key":"542_CR51","doi-asserted-by":"crossref","unstructured":"Peng, H., et al.: Using probabilistic generative models for ranking risks of android apps. In Proceedings of the 2012 ACM conference on Computer and Communications Security. pp. 241\u2013252, (2012)","DOI":"10.1145\/2382196.2382224"},{"issue":"1","key":"542_CR52","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1023\/A:1022643204877","volume":"1","author":"JR Quinlan","year":"1986","unstructured":"Quinlan, J.R.: Induction of Decision Trees. Mach. Learn. 1(1), 81\u2013106 (1986)","journal-title":"Mach. Learn."},{"key":"542_CR53","doi-asserted-by":"crossref","unstructured":"Ravitch, T., et al.: Multi-app security analysis with fuse: Statically detecting android app collusion. In Proceedings of the 4th Program Protection and Reverse Engineering Workshop, pp. 1\u201310, (2014)","DOI":"10.1145\/2689702.2689705"},{"key":"542_CR54","unstructured":"Scikit-learn Developers.: Scikit-learn: Machine Learning in Python. Version 1.3.0, (2024). https:\/\/scikit-learn.org"},{"key":"542_CR55","unstructured":"Statista.: Top 10 apps dominate time spent on smartphones (2023) https:\/\/www.statista.com\/chart\/3835\/top-10-app-usage\/. Accessed: 30-May-2025"},{"issue":"11","key":"542_CR56","doi-asserted-by":"publisher","first-page":"1869","DOI":"10.1109\/TIFS.2014.2353996","volume":"9","author":"W Wang","year":"2014","unstructured":"Wang, W., et al.: Exploring permission-induced risk in android applications for malicious application detection. IEEE Trans. Inf. Forens. Secur. 9(11), 1869\u20131882 (2014)","journal-title":"IEEE Trans. Inf. Forens. Secur."},{"issue":"3","key":"542_CR57","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3183575","volume":"21","author":"F Wei","year":"2018","unstructured":"Wei, F., Roy, S., Ou, X., Robby: Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. ACM Trans. Privacy Secur. 21(3), 1\u201332 (2018)","journal-title":"ACM Trans. Privacy Secur."},{"key":"542_CR58","doi-asserted-by":"crossref","unstructured":"Wu, D., Cheng, Y., Gao, D., Li, Y., Deng, R.H.: SCLib: A practical and lightweight defense against component hijacking in Android applications. arXiv:1801.04372. (2018)","DOI":"10.1145\/3176258.3176336"},{"key":"542_CR59","doi-asserted-by":"crossref","unstructured":"Xu, M., et al.: Appholmes: Detecting and characterizing app collusion among third-party android markets. In Proceedings of the 26th international conference on World Wide Web. pp. 143\u2013152, (2017)","DOI":"10.1145\/3038912.3052645"},{"key":"542_CR60","doi-asserted-by":"crossref","unstructured":"Zhong, J., Huang, J. Liang, B.: Android permission re-delegation detection and test case generation. In 2012 International conference on computer science and service system, pp. 871\u2013874, (2012). IEEE","DOI":"10.1109\/CSSS.2012.222"}],"container-title":["Automated Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10515-025-00542-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10515-025-00542-4\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10515-025-00542-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,10]],"date-time":"2025-09-10T13:58:16Z","timestamp":1757512696000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10515-025-00542-4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,1]]},"references-count":60,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2025,11]]}},"alternative-id":["542"],"URL":"https:\/\/doi.org\/10.1007\/s10515-025-00542-4","relation":{},"ISSN":["0928-8910","1573-7535"],"issn-type":[{"value":"0928-8910","type":"print"},{"value":"1573-7535","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,8,1]]},"assertion":[{"value":"6 April 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"13 July 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"1 August 2025","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"68"}}