A Comprehensive Analysis of Evolving Permission Usage in Android Apps: Trends, Threats, and Ecosystem Insights

Abstract

The proper use of Android app permissions is crucial to the success and security of these apps. Users must agree to permission requests when installing or running their apps. Despite official Android platform documentation on proper permission usage, there are still many cases of permission abuse. This study provides a comprehensive analysis of the Android permission landscape, highlighting trends and patterns in permission requests across various applications from the Google Play Store. By distinguishing between benign and malicious applications, we uncover developers’ evolving strategies, with malicious apps increasingly requesting fewer permissions to evade detection, while benign apps request more to enhance functionality. In addition to examining permission trends across years and app features such as advertisements, in-app purchases, content ratings, and app sizes, we leverage association rule mining using the FP-Growth algorithm. This allows us to uncover frequent permission combinations across the entire dataset, specific years, and 16 app genres. The analysis reveals significant differences in permission usage patterns, providing a deeper understanding of co-occurring permissions and their implications for user privacy and app functionality. By categorizing permissions into high-level semantic groups and examining their application across distinct app categories, this study offers a structured approach to analyzing the dynamics within the Android ecosystem. The findings emphasize the importance of continuous monitoring, user education, and regulatory oversight to address permission misuse effectively.

1. Introduction

Android holds a market share of 72.2%, making it the most widely used mobile operating system globally, powering billions of devices from smartphones to tablets and wearables [1]. Its open-source nature and comprehensive app ecosystem have driven its popularity. Android’s versatility and adaptability have made it a cornerstone of mobile technology, fostering innovation and accessibility across various applications. As of 2024, the Google Play Store offers an extensive collection of about 2.4 million mobile apps [2], catering to the diverse preferences of Android users. This prolific app landscape serves a user base of approximately 3.6 billion device owners [3].

The permission system is central to Android apps’ functionality and security [4], which governs access to sensitive data and essential device functions. Permissions regulate access to personal information, such as contacts, messages, location, and hardware features, like the camera and microphone [5]. With its ample features, this permission system empowers users to control the data and functionalities that apps can access, thereby protecting their privacy and enhancing security [6]. The Android permission system operates on the principle of least privilege, meaning that apps should only request permissions necessary for their core functionality [7,8]. This minimizes abuse potential and reduces security breach risks. When an app is installed, it requests permissions specified in its manifest file. Users must grant these permissions for the app to function correctly [9].

The study of app permissions within the Android ecosystem is paramount due to several critical factors. Firstly, permissions are crucial gatekeepers to sensitive data and essential device functionalities [10]. Improperly managing these permissions, such as over-requests or application misuses, introduces substantial security and privacy risks [11]. User personal information, including contacts, messages, and location data, can be susceptible to unauthorized access and malicious exploitation. This underscores the importance of scrutinizing how permissions are requested and used. This will mitigate potential security threats and enhance the Android platform’s integrity. Permission management has significant implications for both developers and users. From a user perspective, understanding and controlling app permissions is crucial to maintaining privacy and trust. Users are more likely to engage with and recommend apps that are transparent about their data usage and request only the necessary permissions.

Understanding the status quo of the Android permission system and its use across various applications through statistical analysis, correlational understanding, and contrast is critical. However, this topic is not new, and several studies have examined this question (as highlighted in Section 2). Nonetheless, we believe that this pursuit is still important for the following reasons: First, we examine a new and fresh set of applications that reflect an up-to-date view of the permissions landscape, capturing a more accurate characterization than the dated studies. Second, the Android permission system evolves and so do the permission usages. We hope to provide a current perspective by analyzing recently updated applications. Third, given the evolving legislative and regulatory mandates, trends in the use of Android permissions are likely changing. We hope to shed light on the most up-to-date view of those permission trends by capturing the policy evolution. Finally, a comprehensive, up-to-date understanding of the current landscape remains limited.

Contributions: In this paper, we make the following contributions:

• Longitudinal Permission Analysis: We conduct a multi-year exploration of Android permission usage trends from 2019 to 2023, comparing how benign and malicious apps request permissions over time. This temporal period allows us to observe shifts in behavior, such as malicious apps minimizing permission use to evade detection.
• Genre-Based Comparative Study: We examine permission usage across sixteen distinct app genres (e.g., finance, education, and communication), offering one of the broadest category-level analyses to date. This genre-specific breakdown reveals nuanced permission patterns that are often obscured in aggregate analyses.
• Structured Semantic Categorization: We introduce and apply a consistent, interpretable taxonomy of high-level semantic permission groups (e.g., location, GPS, and network connectivity). This categorization enables clearer cross-genre and cross-year comparisons, supporting more interpretable analysis than ad hoc or inconsistent groupings in prior work.
• Association Rule Analysis: Leveraging the FP-Growth algorithm, we identify frequent permission combinations and patterns of co-occurrence across the entire dataset. Our analysis spans the full dataset, individual years, and specific app genres, uncovering meaningful trends in benign and malicious apps.
• Multi-Dimensional Feature Comparison: Beyond permissions, we analyze additional app metadata, such as in-app purchases, content ratings, ad presence, app size, and user ratings, to study how these features correlate with permission behavior and potential risks. This holistic perspective helps uncover broader ecosystem patterns that affect both developers and users.

Organization: This paper is structured as follows: We begin by reviewing significant related work in Section 2, which sets the foundation for our research. Next, we provide a background of the Android permission domain in Section 3, outlining the key concepts and structures that inform our study. In Section 4, we detail the data collection and analysis methodology, followed by a thorough presentation of our analysis results in Section 5. These findings are comprehensively discussed in Section 6, highlighting the key takeaways. Finally, we address the study’s limitations and offer recommendations in Section 7, as well as provide concluding remarks and suggestions for future research in Section 8.

2. Related Work

Research on the Android permission system has evolved significantly, addressing various aspects, including system design, user comprehension, and security implications. Numerous studies have examined permission usage patterns, overprivilege detection, user perception, and malware detection strategies, providing valuable insights into Android’s permission framework. Table 1 summarizes key contributions from related work, including methodologies, features examined, and their limitations. Earlier works often focused on limited datasets, specific methodologies, or narrow perspectives (e.g., overprivilege detection or user perception); our work, in contrast, builds on and extends these efforts. Specifically, we analyze permission usage across app categories over a five-year period (2019–2023), incorporating additional features, such as advertisements and in-app purchases. This holistic approach enables a broader understanding of permission trends, their security implications, and their relationship with app functionalities.

Android Permissions System Overview: The Android permissions system has been the subject of extensive research, with a focus on its limitations, user understanding, security mechanisms, and system design. Studies have explored permission usage patterns and granularity [12,13,14,15], while others emphasized enhancements to refine how permissions are managed [16,17,18,19]. More recent works introduced dynamic and context-aware permission models to address evolving privacy challenges [20,21,22]. Barrera et al. [23] used the Self-Organizing Map (SOM) algorithm to highlight permission usage patterns, identifying areas for refinement, while Almomani et al. [24] provided an overview of Android’s evolving permission framework.

Permission Optimization and Overprivilege Detection. Overprivileged permissions and minimizing unnecessary requests are key issues in Android security research. Xiao et al. [25] introduced MPDroid, which combines static analysis and collaborative filtering to tackle overprivilege. Similarly, Johnson et al. [26] mapped Android API calls to required permissions by automating app downloads and analyzing permission accuracy. Our work builds on this by categorizing permissions into semantic groups and comparing their usage with app features like ads and in-app purchases.

User Perception and Risk Signals. Several works examine the link between app permissions and user perception. Sarma et al. [27] integrated risk signals into permission warnings, and Felt et al. [28] identified user comprehension challenges. While these studies provide insights into user interaction, our research extends by exploring permission use in connection with app features and its effect on user privacy.

Longitudinal Studies on Android Permissions: Longitudinal research on permission systems helps to reveal trends and security risks over time. Wei et al. [8] conducted such a study, observing an increase in dangerous permissions over the years. Zhauniarovich et al. [29] analyzed the transition to runtime permissions introduced in Android 6.0. Our research builds on these findings by examining how permission usage varies across app categories and changes over time. Specifically, we analyze the frequency and type of permissions requested within different app categories (e.g., gaming, finance, and education) and observe shifts in these patterns over the years. This approach provides a more granular view of permission trends, highlighting category-specific behaviors and evolving practices in permission requests.

Permissions and App Features. The relationship between permissions and app features, including advertisements, in-app purchases, and app trustworthiness has also been explored. Wang et al. [30] used natural language processing to study how permissions influence user trust, while Scoccia et al. [31] examined how developers handle permission-related issues. Our research provides a more comprehensive comparison of permission usage and app features, offering insights into their role in app functionality and user privacy.

Permission Analysis for Security and Malware Detection. Security research has extensively used permission analysis to enhance Android malware detection strategies. Li et al. [7] and Guyton et al. [32] both optimized feature selection by analyzing permissions, intents, and API calls, while Rathore et al. [33] developed a malware detection system that strongly relies on permission data. Additionally, Mohaisen et al. [34] introduced AMAL, a behavior-based automated malware classification system that complements permission-centric approaches by examining static and dynamic behaviors at scale. Kang et al. [35] further advanced detection accuracy by incorporating creator information such as certificate serial numbers into static analysis pipelines for classification and attribution. Beyond Android, Alasmary et al. [36] proposed a graph-based approach for detecting emerging malware in the Internet of Things (IoT), showing that metadata, structure, and behavioral context are vital for robust detection across platforms. While these studies focus mainly on security, our work broadens the scope by analyzing permissions not only in terms of security threats but also by exploring their broader implications on user privacy and overall app behavior.

Table 1. Comparison of related work on Android permission research.

Author	Year	Samples	Method	Apps	Features	Limits
Wei et al. [8]	2009–2011	237	Longitudinal study	Perm. changes	Dangerous and pre-installed perms	No comp. w/ features
Barrera et al. [23]	2010–2011	1100	SOM clustering	Perm. analysis	Use patterns and granularity	Few cats., early study
Johnson et al. [26]	2012	141,000	API map + auto DL	Perm. accuracy	Misuse detection	No feat. mapping
Sarma et al. [27]	2012	158,062	Risk signal fusion	Warn. decisions	Risks vs. benefits	Shallow analysis
Felt et al. [28]	2012	333	User studies	Perm. effectiveness	Attn. and understanding	No feat. links
Zhauniarovich et al. [29]	2016	–	Runtime analysis	Perm. system	Dynamic and structural mgmt.	No comp. eval
Guyton et al. [32]	2018	119 K	Sec. model opt.	Malware detect.	Perms, intents, and APIs	No privacy impact
Wang et al. [30]	2019	20 K	NLP on reviews	User feedback	Trust and user perception	Lacks deep analysis
Xiao et al. [25]	2020	16,343	Static + CF	Overpriv. detect.	Min. necessary perms	Narrow scope
Rathore et al. [33]	2021	11,281	Perm.-based ML	Malware detect.	High-risk perms	No feat. eval
Scoccia et al. [31]	–	574	Exploratory	Perm. mgmt.	Issue fixing and practices	No func. insight
Li et al. [7]	–	814	Static + Apriori	Dev guidance	Perm. relationships	No behavior links
Almomani et al. [24]	–	–	SOM clustering	Perm. framework	Dev risks and vuln. focus	No cat. detail
This work	2019–2023	5028	Category + comp. analysis	Perm. profiling	Genres, semantics, ads, and IAPs	Partial feat. coverage

Table 1. Comparison of related work on Android permission research.

Author	Year	Samples	Method	Apps	Features	Limits
Wei et al. [8]	2009–2011	237	Longitudinal study	Perm. changes	Dangerous and pre-installed perms	No comp. w/ features
Barrera et al. [23]	2010–2011	1100	SOM clustering	Perm. analysis	Use patterns and granularity	Few cats., early study
Johnson et al. [26]	2012	141,000	API map + auto DL	Perm. accuracy	Misuse detection	No feat. mapping
Sarma et al. [27]	2012	158,062	Risk signal fusion	Warn. decisions	Risks vs. benefits	Shallow analysis
Felt et al. [28]	2012	333	User studies	Perm. effectiveness	Attn. and understanding	No feat. links
Zhauniarovich et al. [29]	2016	–	Runtime analysis	Perm. system	Dynamic and structural mgmt.	No comp. eval
Guyton et al. [32]	2018	119 K	Sec. model opt.	Malware detect.	Perms, intents, and APIs	No privacy impact
Wang et al. [30]	2019	20 K	NLP on reviews	User feedback	Trust and user perception	Lacks deep analysis
Xiao et al. [25]	2020	16,343	Static + CF	Overpriv. detect.	Min. necessary perms	Narrow scope
Rathore et al. [33]	2021	11,281	Perm.-based ML	Malware detect.	High-risk perms	No feat. eval
Scoccia et al. [31]	–	574	Exploratory	Perm. mgmt.	Issue fixing and practices	No func. insight
Li et al. [7]	–	814	Static + Apriori	Dev guidance	Perm. relationships	No behavior links
Almomani et al. [24]	–	–	SOM clustering	Perm. framework	Dev risks and vuln. focus	No cat. detail
This work	2019–2023	5028	Category + comp. analysis	Perm. profiling	Genres, semantics, ads, and IAPs	Partial feat. coverage

3. Background

Understanding the context of Android permissions is crucial for analyzing their impact and usage within the ecosystem. This section provides an overview of essential components in the Android permission domain. We begin by discussing the Google Play Store, the primary distribution platform for Android apps, followed by an exploration of Android Application Packages (APKs), which serve as the core unit for app delivery and installation. Finally, we delve into the intricacies of Android permissions, examining how they govern app behavior and user privacy.

Google Play Store: The Google Play Store [37] is an online platform and digital distribution service developed by Google, serving as the official app store for Android devices. It offers a centralized hub for discovering, purchasing, and managing apps, games, movies, music, books, and other digital content. Users can access free and paid content through the Play Store app or its web interface, as illustrated in Figure 1.

Understanding an APK: An Android Application Package (APK) is the standard file format for distributing and installing apps on Android. It contains all the necessary components such as the code, libraries, assets, and manifest file needed to seamlessly run the app [38]. The manifest file, AndroidManifest.xml, provides crucial information like the package name, permissions, and hardware requirements, allowing proper system execution and robust security enforcement. The assets folder contains uncompiled data, such as texts, images, and audio files, which are accessible during runtime. The resources.arsc file stores essential UI resources, while the classes.dex file contains compiled Java bytecode for the app. Finally, the META-INF directory houses metadata and signature files, ensuring the overall integrity of the APK by preventing tampering.

Permissions in the Android Platform: App permissions in the Android domain are security measures designed to protect user data and ensure privacy by regulating what actions an app can perform and what information it can access on the device. When an app requests specific permission, it seeks authorization to access certain features or data on the user’s device, including personal information, system resources, or device hardware. Users are prompted to grant or deny these permissions during the app’s installation or while using the app.

Permissions in Android are officially categorized by Google into two types: normal and dangerous, as defined in the Android developer documentation [39]. Normal permissions cover less sensitive operations, such as internet access. These are automatically granted at the installation time because they pose minimal risk to the user’s privacy or device security.

Dangerous permissions, on the other hand, involve access to more sensitive user data and require explicit user consent. Examples include permissions for accessing the user’s location, contacts, and camera. Beginning with Android 6.0 (Marshmallow), apps must request dangerous permissions at runtime, giving users more control and transparency over their data [40]. For instance, a social media app might request access to the camera for photo uploads, while a navigation app would require location access to provide accurate directions. By requiring runtime approval, Android ensures that apps cannot access sensitive data without the user’s knowledge and consent.

Location access permissions, such as ACCESS_FINE_LOCATION, allow an app to retrieve precise user location data using GPS and network-based sources. In contrast, ACCESS_COARSE_LOCATION permits access to approximate location information derived from Wi-Fi and cell towers. Similarly, permissions for device hardware, such as CAMERA and RECORD_AUDIO, enable the app to use the device’s camera and microphone to capture photos, record videos, or capture audio. Storage permissions, like READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE, grant the app access to external storage, including photos, videos, and other files. These permissions are often presented at a higher semantic level in user-facing interfaces, abstracting technical permission names into descriptions of functionality. For example, ACCESS_NETWORK_STATE may be displayed as “have full network access,” as demonstrated in Figure 2. The snapshot showcases an example app from our dataset, visually highlighting its requested permissions and their representations alongside key app metadata, such as data safety and usage details.

4. Methodology

We adopted a structured methodology for collecting, labeling, and analyzing Android application data, with a particular emphasis on permission usage and its broader implications. The process is organized into several core stages: data collection, malware classification, feature extraction, permission extraction, permission categorization, and comprehensive analysis. Each stage is designed to maintain dataset integrity and support reliable, reproducible insights. An overview of the full pipeline is illustrated in Figure 3, providing a visual summary of the workflow used throughout this study.

❶ Data Collection: We obtained our dataset from AndroZoo [41], a comprehensive source for Android apps’ data. AndroZoo’s data collection process prioritizes two primary features to enhance dataset robustness and versatility: First, it spans a significant temporal range, ensuring the inclusion of apps from various periods, which supports comprehensive analyses across different studies. Second, it emphasizes sourcing apps from reputable and well-established markets, particularly the Google Play Store, to ensure the integrity and credibility of the collected apps. To achieve this, we implemented a verification step during preprocessing in which each app’s unique AppID was cross-referenced against current listings on the Google Play Store. This ensured that our final dataset includes only apps that are actively available on the platform at the time of analysis. Initially, we collected 7000 apps cross-validated with the Google Play Store to ensure their presence on the official Android market. This validation process resulted in a final dataset of 5028 apps, comprising 4465 benign and 563 malicious apps, spanning five years from 2019 to 2023.

❷ Maliciousness Classification: To classify Android applications in our dataset as benign or malicious, we relied on VirusTotal [42], a widely used platform that analyzes APK files using over 70 antivirus engines. We first checked whether an app had an existing VirusTotal scan result from the AndroZoo repository. If no scan result was available or if the scan was outdated, we manually submitted or re-scanned the APK on VirusTotal to ensure up-to-date results. We adopted a sensitive labeling policy: an app was labeled as malicious if at least one antivirus engine flagged it, and it was labeled as benign if no engines flagged it. This ensured consistency across the dataset while capturing a broad range of potentially harmful behaviors. This dual approach, leveraging existing annotations and performing fresh scans, helped enhance the reliability of our labels and reduce ambiguity stemming from stale metadata. Previous work has examined the reliability and consistency of antivirus labels across vendors, highlighting discrepancies and challenges in using them as the ground truth for malware classification [43].

❸ Feature Extraction: After assembling our dataset, we extracted and consolidated a comprehensive set of metadata features for each APK using a combination of the AndroZoo platform and a Google Play Store metadata scraper [44]. These tools allowed us to systematically retrieve relevant app characteristics, including genre, ad-supported status, in-app purchases, content rating, app rating, install count, and APK size. These features are essential for analyzing trends in permission usage across different dimensions. Our analysis spans 16 distinct app genres, as detailed in Tables 5 and 6, providing a diverse and representative view of Android applications on the Google Play Store. This enriched metadata enabled more nuanced and comparative analyses of permission requests in relation to app functionality and user-facing traits.

❹ Permission Extraction: The next step involved extracting permissions from each app in our dataset. This process began with the decompilation of classes.dex files from the APKs to obtain the Java source files that represent the applications. We systematically extracted the permissions using these source files and cataloged them in CSV format. This format included each app’s package name and associated permissions, providing a structured approach to analyzing and assessing permission requests from various applications. From the 5028 apps, we successfully extracted permissions from 4136 benign apps and 343 malicious apps, resulting in 63,480 permissions.

Table 2. Summary of apps counts across years and types.

Year	Apps	Benign			Malicious
		Total	Valid	Failed	Total	Valid	Failed
2019	778	653	593	60	125	110	15
2020	827	737	699	38	90	65	25
2021	1033	915	860	55	118	73	45
2022	1236	1107	1066	41	129	62	67
2023	1154	1053	918	135	101	33	68
Total	5028	4465	4136	329	563	343	220

presents a detailed overview of the number of applications and the permissions extracted for each year, including the number of apps for which no permissions were found. In our initial analysis, a subset of applications returned the result “No Permissions Found” during the permission extraction phase. This outcome, based on static analysis of the decompiled source code using JADX and regular expression matching for permission references (e.g., android.permission.X), indicates that these applications genuinely do not request any permissions. This breakdown includes 5318 permissions from malicious apps and 58,162 permissions from benign apps, averaging 14 permissions per benign app and 16 per malicious app. A total of 321 unique permissions were identified across all categories, reflecting diverse usage and functionalities.

❺ Permission Categorization: Given the extensive permissions in our dataset, we systematically categorized each permission into higher-level semantic categories. For instance, permissions such as INTERNET and ACCESS_NETWORK_STATE were grouped under the category of network and connectivity. This method of categorization was designed to provide a structured framework that enables a more coherent and meaningful analysis of permission usage. By organizing permissions in this way, we can better understand how different permissions are used across various applications, which in turn reveals patterns and insights into app behaviors and privacy implications.

We grouped the 321 permissions by function, following the Android documentation. Using language models, we refined these groupings based on semantic similarities. This resulted in high-level categories: “system and device management” (G1, 92), “network and connectivity” (G2, 29), “data access and storage” (G3, 25), “location and GPS” (G4, 10), “communication and messaging” (G5, 28), “media and camera” (G6, 4), “security and privacy” (G7, 31), “system UI and notification” (G8, 16), “app management and admin” (G9, 50), and “payment and transactions” (G10, 36). The final categorization, which is illustrated in

Table 3. Breakdown of 321 unique permissions by category.

Category	Permissions
System and Device Management	92
Network and Connectivity	29
Data Access and Storage	25
Location and GPS	10
Communication and Messaging	28
Media and Camera	4
Security and Privacy	31
System UI and Notifications	16
App Management and Administration	50
Payment and Transactions	36
Total	321

, outlines these higher-level semantic groups along with the associated count of permissions within each category. This categorization is the foundation for our subsequent analysis, providing a clear and organized perspective on the Android permission landscape.

While the prior work has performed coarse semantic grouping of permissions (e.g., grouping based on functions like the network or storage), our contribution lies in constructing and applying a comprehensive, consistent, and interpretable high-level semantic taxonomy that spans all permission types and supports longitudinal and category-specific analyses. We explicitly define 10 well-structured permission groups (e.g., G1: system and device management, G4: location and GPS, etc.) and systematically apply this categorization in year- and genre-wise analyses. This structured framework enables clearer comparisons across app types and behaviors, which are often missing or inconsistently applied in earlier studies. For example, Wang et al. [45] grouped permissions by function in their risk models, but they did not apply a standardized taxonomy across all evaluation axes (e.g., time and category). Our work builds upon this direction with a consistent semantic scheme designed for interpretable analysis.

❻ Analysis: We conducted a comprehensive analysis of Android permissions by identifying the top requested permissions across applications from multiple years (2019–2023) and within 16 distinct app genres, examining both the benign and malicious aspects for each year and genre. To deepen our understanding of permission usage patterns, we employed association rule mining with the FP-Growth algorithm [46], which enabled us to uncover frequent permission combinations and highlight patterns of co-occurring permissions. Additionally, we examined the association between requested permissions and various app features, including genre, ad-supported status, in-app purchases, content rating, app rating, install base, and app size. This multifaceted analysis provided valuable insights into permission request trends, revealing key differences in permission behavior between benign and malicious apps, and highlighted specific patterns relevant to different app categories. Our findings contribute to a deeper understanding of permission usage dynamics and their implications for user privacy and security across diverse application types.

5. Analysis Results

This section presents a comprehensive analysis of permission requests in Android applications and their comparison.

5.1. Top Requested Permissions

5.1.1. Top Requested Permissions by Year

We analyzed the top permissions requested for benign and malicious apps from 2019 to 2023 to identify shifting trends in permission requests. The results revealed several key insights.

Table 4. Breakdown of the top requested permissions for benign (B) and malicious (M) apps over the years from 2019 to 2023.

Permission	Type	2019		2020		2021		2022		2023
		B	M	B	M	B	M	B	M	B	M
ACCESS_NETWORK_STATE	G2	551	99	639	59	726	66	892	58	785	28
ACCESS_FINE_LOCATION	G4	533	101	661	59	820	71	1035	60	886	31
ACCESS_COARSE_LOCATION	G4	520	101	644	59	810	71	1018	60	867	30
INTERNET	G2	451	87	516	41	560	52	615	48	534	20
WRITE_EXTERNAL_STORAGE	G3	450	75	488	44	538	60	553	51	433	19
UPDATE_DEVICE_STATS	G2	424	84	515	51	664	63	906	55	811	25
CAMERA	G6	305	49	431	33	496	53	526	0	0	0
RECORD_AUDIO	G6	273	45	386	31	0	51	0	0	0	0
USE_FINGERPRINT	G7	255	46	416	30	0	0	0	0	0	0
WAKE_LOCK	G1	254	0	396	33	530	51	744	53	695	23
READ_PHONE_STATE	G1	0	44	0	0	0	0	0	44	0	0
STATUS_BAR_SERVICE	G8	0	0	0	0	511	0	670	0	613	18
MEDIA_CONTENT_CONTROL	G6	0	0	0	0	511	0	670	0	614	18
GET_ACCOUNTS	G1	0	0	0	0	0	42	0	46	449	19
READ_EXTERNAL_STORAGE	G3	0	0	0	0	0	0	0	45	0	0

provides detailed data on these trends. Across all years, the three most frequently requested permissions were ACCESS_NETWORK_STATE, ACCESS_FINE_LOCATION, and ACCESS_COARSE_LOCATION, which fall under two dominant high-level categories: “location and GPS” (G4) and “network and connectivity” (G2). These categories reflect the core functionality of most Android apps, including location tracking and internet access.

Over time, malicious apps showed a consistent reduction in permission requests across all categories. For instance, ACCESS_FINE_LOCATION dropped from 101 requests in 2019 to just 31 in 2023, and ACCESS_NETWORK_STATE declined from 99 to 28. This trend suggests an evolving strategy to evade detection by minimizing sensitive permissions. Some permissions like CAMERA, RECORD_AUDIO, and USE_FINGERPRINT, which fall under “media and camera” (G6) and “security and privacy” (G7), disappeared entirely from malicious apps by 2023.

In contrast, benign apps generally maintained or increased their use of certain sensitive permissions. Location-related permissions (G4) peaked in 2022, and network-related permissions (G2) remained consistently high. However, a few permissions, such as WRITE_EXTERNAL_STORAGE and CAMERA, showed a decline over time. Notably, permissions like STATUS_BAR_SERVICE and MEDIA_CONTENT_CONTROL, which fall under “system UI and notification” (G8) and “media and camera” (G6), respectively, were used exclusively by benign apps, highlighting distinct usage patterns between benign and malicious behaviors.

Takeaways. Malicious apps requested less sensitive permissions over time, possibly to evade detection. On the other hand, benign apps frequently request sensitive permissions, highlighting ongoing considerations for user privacy and security.

5.1.2. Top Requested Permissions by Genre

We also examined the top requested permissions across 16 app genres, including finance, business, education, and more. This analysis aimed to understand how permission requests vary by app category, as illustrated in 

Table 5. Breakdown of top permissions requested in the first 8 of 16 total app categories for benign (B) and malicious (M) apps.

Permission	Type	Finance		Business		Education		Tools		Productivity		Lifestyle		Medical		Books
		B	M	B	M	B	M	B	M	B	M	B	M	B	M	B	M
ACCESS_FINE_LOCATION	G4	393	26	478	23	358	31	295	17	277	19	164	5	205	11	99	7
ACCESS_COARSE_LOCATION	G4	389	25	475	23	349	31	290	17	276	19	157	5	196	11	98	7
ACCESS_NETWORK_STATE	G2	386	28	366	21	341	30	242	15	210	14	147	5	171	11	101	6
UPDATE_DEVICE_STATS	G1	359	27	381	17	295	24	218	12	234	13	136	4	165	9	88	5
WAKE_LOCK	G1	322	24	286	18	234	0	163	8	169	0	118	5	125	6	75	3
INTERNET	G2	297	23	163	13	233	23	177	12	114	11	108	0	120	8	94	4
CAMERA	G6	254	0	134	12	193	21	168	10	0	10	78	0	95	7	78	0
WRITE_EXTERNAL_STORAGE	G3	232	15	0	13	218	27	198	14	92	10	91	0	84	10	93	3
READ_PHONE_STATE	G1	216	0	0	0	0	18	0	0	0	0	0	4	0	9	0	0
MEDIA_CONTENT_CONTROL	G6	214	18	361	11	217	0	0	0	213	10	97	5	135	0	0	0
GET_ACCOUNTS	G3	0	19	0	0	0	0	0	8	0	0	0	4	0	0	0	0
STATUS_BAR_SERVICE	G8	0	18	361	0	217	0	150	0	213	10	97	5	135	0	0	3
USE_FINGERPRINT	G7	0	0	190	11	0	0	0	0	87	0	0	0	0	0	0	4
RECORD_AUDIO	G6	0	0	0	0	0	19	0	10	0	0	0	0	0	6	72	0
READ_EXTERNAL_STORAGE	G3	0	0	0	0	0	19	152	0	0	11	0	4	0	0	62	0
RECEIVE_BOOT_COMPLETED	G1	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	3

and

Table 6. Breakdown of permission requests in benign and malicious android applications across the second set of 8 app categories, completing the overview of all 16 genres from 2019 to 2023 for benign (B) and malicious (M) apps.

Permission	Type	Shopping		Entertainment		Sports		Music		Travel		Comm		Games		Other
		B	M	B	M	B	M	B	M	B	M	B	M	B	M	B	M
ACCESS_FINE_LOCATION	G4	123	15	112	10	117	6	107	14	70	6	88	7	533	63	490	56
ACCESS_COARSE_LOCATION	G4	123	15	112	10	117	6	106	14	61	6	88	7	515	63	485	56
ACCESS_NETWORK_STATE	G2	115	15	102	10	107	6	107	14	63	6	86	8	546	62	481	54
UPDATE_DEVICE_STATS	G1	114	15	89	10	104	5	92	12	51	5	74	0	505	63	393	47
WAKE_LOCK	G1	101	12	68	0	90	0	0	0	42	3	69	0	365	40	334	34
INTERNET	G2	97	9	94	9	78	5	98	11	45	4	0	0	504	61	385	42
CAMERA	G6	71	8	79	9	58	5	82	9	42	3	48	7	404	38	293	29
WRITE_EXTERNAL_STORAGE	G3	74	0	91	9	72	6	102	14	43	4	52	7	525	59	359	43
READ_PHONE_STATE	G1	0	0	69	6	0	0	68	0	0	0	0	7	0	32	0	0
MEDIA_CONTENT_CONTROL	G6	66	0	0	0	78	0	0	0	38	0	56	0	0	0	0	0
GET_ACCOUNTS	G3	0	7	0	0	0	0	0	0	0	3	0	0	0	35	249	27
STATUS_BAR_SERVICE	G8	65	0	0	0	78	0	0	0	38	0	56	0	0	0	0	0
USE_FINGERPRINT	G7	0	0	0	0	0	0	0	7	0	0	0	0	0	0	0	0
RECORD_AUDIO	G6	0	0	0	9	0	5	86	9	0	0	0	7	393	0	0	0
READ_EXTERNAL_STORAGE	G3	0	0	74	8	0	4	78	9	0	3	49	6	0	0	287	35
RECEIVE_BOOT_COMPLETED	G1	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
ACCESS_WIFI_STATE	G2	0	8	0	0	0	0	0	0	0	0	0	0	362	0	0	0
CALL_PHONE	G5	0	7	0	0	0	0	0	0	0	0	0	0	0	0	0	0
BLUETOOTH	G5	0	0	0	0	0	3	0	0	0	0	0	0	0	0	0	0
SEND_SMS	G5	0	0	0	0	0	0	0	0	0	0	0	7	0	0	0	0
READ_CONTACTS	G5	0	0	0	0	0	0	0	0	0	0	0	7	0	0	0	0

.

Games and other apps consistently requested the most permissions, especially those falling under “location and GPS” (G4), “network and connectivity” (G2), and “system and device management” (G1). These app categories rely heavily on real-time features such as interactive gameplay and dynamic content access.

In contrast, genres such as books, music, and travel consistently requested fewer permissions, particularly among malicious apps, likely due to their offline functionality and limited access to sensitive data. Across all genres, benign apps requested more permissions than malicious ones. Commonly requested permissions among benign apps included ACCESS_FINE_LOCATION, WRITE_EXTERNAL_STORAGE, and INTERNET, which fall under G4, G3, and G2, respectively. On the other hand, malicious apps tended to minimize permission requests, likely as an evasion tactic.

Interestingly, permissions under “communication and messaging” (G5), such as SEND_SMS, CALL_PHONE, and READ_CONTACTS, appeared exclusively in malicious apps and primarily within the games category, suggesting potential misuse for spam or fraud activities.

Takeaways. Permission patterns vary significantly by app category. Data-heavy and interactive genres like games and communication request more permissions, particularly among benign apps. Malicious apps tend to stay minimal across the board, though some sensitive permissions appear exclusively within certain categories.

5.2. Association Rule Analysis

Association rule analysis is a powerful data mining technique used to uncover relationships between items in large datasets. In this work, we applied this technique to identify frequent combinations of Android permissions requested by apps. By examining co-occurring permissions, we aimed to uncover patterns that offer insights into how apps behave and how these behaviors differ across app categories, years, and between malicious and benign applications. This analysis helps provide a deeper understanding of permission usage dynamics and the implications for user privacy and security.

To achieve this, we employed the FP-Growth (frequent pattern growth) algorithm, which is a highly efficient method for finding frequent itemsets in large datasets. Unlike other algorithms like Apriori, FP-Growth does not generate candidate itemsets explicitly. Instead, it builds a compressed data structure called the frequent pattern tree (FP-Tree), which stores information about item frequencies in a hierarchical format. The algorithm then mines the FP-Tree to discover frequent itemsets. The formula used to determine the frequency of an itemset is defined as

$$\mathrm{Support}={\displaystyle \frac{\mathrm{Frequency}\mathrm{of}\mathrm{the}\mathrm{Itemset}\mathrm{in}\mathrm{Dataset}}{\mathrm{Total}\mathrm{Number}\mathrm{of}\mathrm{Transactions}\mathrm{in}\mathrm{Dataset}}}.$$

(1)

In this study, we applied a minimum support threshold of 50% for the FP-Growth algorithm, as demonstrated in Figure 4, meaning that a permission combination was included only if it appeared in at least half of the analyzed applications. This threshold was chosen to highlight the most dominant and widely shared permission patterns across apps, ensuring meaningful insights while filtering out low-frequency or less relevant combinations. The selection of a 50% threshold aligns with common practices in association rule mining, particularly in studies aiming to extract high-confidence and interpretable patterns [47,48]. By focusing on frequent associations, we aim to surface stable trends rather than outliers. A detailed example is provided to illustrate how the FP-Growth algorithm operates in this context.

The first step of the FP-Growth algorithm is to calculate the support for individual permissions. For instance, the permission ACCESS_FINE_LOCATION appears in all three apps, resulting in a support value of $3/3=100\%$. Similarly, INTERNET appears in two apps, yielding a support level of $2/3\approx 66.7\%$. Based on the support threshold of 50%, all these permissions would be included in the FP-Tree. Next, the algorithm identifies frequent permission combinations. For example, the combination ACCESS_FINE_LOCATION and INTERNET appears in two apps, resulting in a support level of $2/3\approx 66.7\%$. This process continues until all frequent combinations of permissions are identified. For our analysis, we applied the FP-Growth algorithm to three distinct dimensions of the dataset. First, we examined the entire dataset to identify frequent permission combinations across all malicious and benign apps, providing a comprehensive view of co-occurring permissions. Second, we conducted a yearly analysis from 2019 to 2023, analyzing trends in permission combinations over time by separating malicious and benign apps. Finally, we performed a genre-specific analysis, focusing on 16 distinct app genres, such as games, finance, and communication, to uncover permission patterns unique to each genre.

5.2.1. Whole-Dataset Permission Combinations

To gain insights into permission request patterns, we analyzed the entire dataset, separating malicious and benign applications to identify differences in permission usage.

Table 7. Comparison of benign and malicious applications: average support and total count by permission size. Permission size refers to the number of permissions grouped together, with average support showing the average percentage of apps requesting each combination and total count representing the overall frequency of these combinations.

Permission Size	Avg. Support (%)		Total Count
	Benign	Malicious	Benign	Malicious
2	61.41	56.61	58,136	895
3	57.90	55.22	57,304	291
4	55.72	-	26,374	-
5	53.94	-	4642	-

presents the findings, and they are organized by “Permission Size", which refers to the number of permissions grouped together in a combination analyzed through the FP-Growth algorithm. For example, a permission size of two could include combinations like ACCESS_FINE_LOCATION and INTERNET, where two permissions co-occur in the dataset. Similarly, a permission size of three might include ACCESS_FINE_LOCATION, INTERNET, and WRITE_EXTERNAL_STORAGE, indicating three permissions commonly requested together. The “Avg. Support (%)" column indicates how often these permission combinations occur across the respective app types, calculated as the percentage of apps in the dataset containing these combinations. The “Total Count" column quantifies the number of apps that include these permission combinations, providing a tangible measure of their prevalence.

Benign apps tend to exhibit larger and more diverse permission combinations, as reflected by both the higher average support percentages and the higher total counts for combinations of larger permission sizes. For example, two-permission combinations in benign apps have an average support percentage of 61.41%, with a total count of 58,136. This total count represents the sum of occurrences of all unique two-permission combinations across all benign apps in the dataset, not the number of apps themselves. In contrast, malicious apps with the same permission size have an average support percentage of 56.61% and a total count of 895, indicating significantly fewer instances of two-permission combinations. As the permission size increases, this gap becomes more apparent, with benign apps maintaining high counts and support percentages for larger combinations, while malicious apps show fewer or no frequent itemsets for sizes beyond three permissions. This suggests that malicious apps often employ a more targeted and minimalistic approach to requesting permissions, potentially to avoid detection.

Takeaways. Benign apps request broader permissions, while malicious apps focus on minimal combinations, likely to evade detection.

5.2.2. Yearly Permission Combinations

The yearly analysis highlights the evolution of permission combinations from 2019 to 2023 across benign and malicious applications.

Table 8. Comparison of benign (B) and malicious (M) applications by year: average support and total count by permission size.

Year	Permission Size	Avg. Support (%)		Total Count
		B	M	B	M
2019	2	67.51	66.61	6471	1229
	3	61.82	61.22	7901	1506
	4	57.83	57.29	5543	1057
	5	54.85	54.34	2103	401
	6	52.43	52.03	335	64
2020	2	60.72	57.33	14,164	313
	3	56.63	54.12	18,578	197
	4	54.53	51.65	11,130	47
2021	2	60.80	54.62	14,274	65
	3	57.74	-	14,078	-
	4	55.91	-	6058	-
	5	53.82	-	972	-
2022	2	65.26	53.31	14,266	563
	3	61.17	52.60	14,710	303
	4	58.87	52.08	7078	50
2023	2	66.54	-	14,370	-
	3	61.20	-	17,814	-
	4	57.96	-	10,884	-
	5	54.30	-	3569	-
	6	50.59	-	475	-

presents the average support percentages and total counts of permission combinations for different permission sizes over these years. The data shows that benign apps consistently request a greater number of larger permission combinations compared to malicious apps. For instance, in 2019, benign apps exhibited an average support of 67.51% for two-permission combinations, encompassing 6471 instances, compared to 66.61% and 1229 instances for malicious apps. However, as the permission size increases, the support percentages and total counts for both benign and malicious apps decline. By 2022, benign apps maintained 7078 four-permission combinations with an average support of 58.87%, while malicious apps recorded only 50 such combinations with a support level of 52.08%.

A notable trend observed is the diminishing frequency of larger permission combinations in malicious apps over time. For example, while benign apps frequently recorded combinations of four and five permissions, malicious apps increasingly focused on smaller permission sets beyond 2021. This shift could suggest a strategic move by malicious apps to minimize detection by avoiding excessive permission requests. The yearly breakdown also reveals the stability of benign app behavior over time, with consistent patterns in permission requests, particularly for larger combinations. Malicious apps, on the other hand, exhibit a more pronounced decline in support and total counts for larger combinations as the years progress. This distinction highlights evolving strategies in permission requests, with malicious apps adopting a more streamlined approach.

Takeaways. Benign apps continue to use larger permission combinations, while malicious apps increasingly focus on smaller sets, reflecting a strategic shift to minimize detection.

5.2.3. Permission Combinations Across Genres

Our genre-specific analysis examined frequent permission combinations across 16 app genres, distinguishing between benign and malicious applications. The results, which are presented in

Table 9. Comparison of average support and total count by permission size for benign (B) and malicious (M) apps across the first 8 of 16 total app genres.

Genre	Permission Size	Avg. Support (%)		Total Count
		B	M	B	M
Books	2	66.02	55.56	2699	15
	3	62.54	55.56	6255	5
	4	59.97	-	9544	-
	5	57.98	-	9778	-
	6	56.41	-	6630	-
	7	55.08	-	2855	-
	8	53.88	-	708	-
	9	52.74	-	77	-
Business	2	67.97	58.47	6341	145
	3	61.57	56.99	7860	53
	4	57.48	-	5362	-
	5	54.76	-	1882	-
	6	52.95	-	260	-
Communication	2	64.22	70.94	1208	415
	3	59.01	68.25	1402	1290
	4	55.99	65.93	776	2670
	5	54.21	63.89	161	3864
	6	-	62.09	-	3990
	7	-	60.49	-	2940
	8	-	59.06	-	1515
	9	-	57.78	-	520
	10	-	56.61	-	107
	11	-	55.56	-	10
Education	2	61.41	-	6334	-
	3	57.41	-	6798	-
	4	54.92	-	3357	-
	5	53.14	-	609	-
Entertainment	2	61.65	-	3535	-
	3	57.86	-	6424	-
	4	55.46	-	6699	-
	5	53.64	-	4057	-
	6	52.11	-	1335	-
	7	50.82	-	186	-
Finance	2	63.08	55.27	5439	325
	3	59.44	52.78	5694	266
	4	56.30	51.59	3236	65
	5	54.07	-	777	-
Games	2	68.15	72.66	18,653	1007
	3	63.50	72.85	38,159	1234
	4	60.48	73.68	46,779	851
	5	58.35	72.51	35,064	335
	6	56.76	71.43	15,536	55
	7	55.54	-	3635	-
	8	54.62	-	325	-
Lifestyle	2	64.60	-	2274	-
	3	61.90	-	2179	-
	4	59.66	-	1050	-
	5	57.67	-	203	-

and

Table 10. Comparison of average support and total count by permission size for benign (B) and malicious (M) apps across the second 8 of 16 total app genres.

Genre	Permission Size	Avg. Support (%)		Total Count
		B	M	B	M
Medical	2	60.87	-	2715	-
	3	56.22	-	2758	-
	4	53.40	-	1310	-
	5	51.35	-	229	-
Music	2	63.32	62.94	5243	321
	3	60.37	59.17	11,456	513
	4	58.09	56.66	16,166	472
	5	56.29	54.90	15,018	252
	6	54.92	53.68	8968	73
	7	53.85	52.94	3282	9
	8	52.96	-	670	-
	9	52.17	-	60	-
Other	2	61.70	56.13	7975	293
	3	58.23	52.87	8182	184
	4	55.80	50.57	4077	44
	5	53.38	-	900	-
Productivity	2	68.09	63.48	3726	73
	3	62.07	58.70	4290	27
	4	58.61	-	2363	-
	5	56.60	-	489	-
Shopping	2	68.04	65.50	3952	262
	3	62.07	58.84	8848	386
	4	58.42	54.33	12,493	339
	5	56.04	51.42	11,466	181
	6	54.37	50.00	6890	56
	7	53.13	50.00	2665	8
	8	52.19	-	620	-
	9	51.52	-	68	-
Sports	2	65.49	68.98	2497	169
	3	59.64	64.00	3888	336
	4	55.93	60.71	3440	408
	5	53.30	58.67	1770	308
	6	51.42	57.55	506	141
	7	50.41	57.14	62	36
	8	-	57.14	-	4
Tools	2	59.51	-	2471	-
	3	54.62	-	1890	-
	4	51.64	-	536	-
Travel	2	60.51	-	1350	-
	3	57.51	-	1283	-
	4	55.67	-	594	-
	5	54.12	-	105	-

, provide insights into how permission requests vary based on app categories, offering a nuanced perspective on app behavior.

Benign apps consistently showed higher total counts across all permission sizes in nearly every genre, reflecting broader functionality and more diverse access requirements. For example, in the games genre, benign apps had 18,653 permission sets of size 2 with an average support of 68.15%, while malicious apps had just 1007. Despite the lower count, the malicious apps showed a slightly higher average support of 72.66%, which suggests more targeted combinations.

Genres such as books, entertainment, business, and travel had benign apps requesting more complex permission sets. In contrast, malicious apps were more concentrated in high-risk categories like communication, games, music, shopping, and sports. These categories often involve frequent user interactions, access to personal information, and financial features, which make them appealing targets for attackers.

The communication genre stood out, with some malicious apps requesting permission sets as large as size 11. This indicates the potential for highly invasive behaviors. Meanwhile, genres like medical and tools showed little to no significant malicious activity, pointing to generally lower risk levels. This analysis suggests that attackers may strategically choose certain genres where users are more likely to grant permissions without suspicion. Developers and users alike must be aware of these trends to better manage risk.

Takeaways. Benign apps tend to request larger permission sets in content-rich categories, while malicious apps concentrate in high-risk genres where they can exploit user trust and access sensitive data.

5.3. Comparative Analysis

5.3.1. Permissions with Ads

Ads in mobile apps are used to generate revenue by displaying promotional content, often delivered through third-party advertising networks. We analyzed whether apps that support ads request more permissions than those that do not for benign and malicious apps. The results, depicted in Figure 5, highlight several notable trends and distinctions.

For most years from 2019 to 2023, the difference in permission requests between malicious apps with ads and those without was minimal, as both types consistently requested more permissions than their benign counterparts. However, in 2023, we observed a notable shift: malicious apps with ads began requesting significantly more permissions than those without ads. This sudden jump suggests a potential change in strategy, where ad-supported malicious apps may be leveraging advertising frameworks to justify or obscure excessive permission requests. In contrast, benign apps with ads tended to request fewer permissions than benign apps without ads. This could reflect more careful permission management by developers who monetize through advertising, aiming to maintain user trust and comply with platform guidelines.

Another key observation is that even without ads, malicious apps still requested more permissions than benign apps. This indicates that the presence of ads alone does not account for permission bloat; rather, the underlying intent of the app plays a larger role. Ads may amplify the issue, especially in malicious apps, but they are not the root cause. These findings align with growing concerns around privacy in mobile ecosystems. Ad-supported malicious apps, particularly in recent years, may exploit permission requests to harvest user data under the guise of advertising functionality. The disparity between benign and malicious ad-supported apps underscores the importance of stringent privacy policies and robust security measures to prevent misuse of permissions [49,50]. This highlights the need for stronger regulatory measures, clearer app labeling, and user education on the risks of granting unnecessary permissions, especially in apps that appear benign but include aggressive ad frameworks.

Takeaways. Across the years, the difference between permissions requested by malicious apps with and without ads is minimal, except in 2023, where apps with ads show a sharp increase in the number of permissions requested.

5.3.2. In-App Purchases

In-app purchases refer to transactions made within an app, allowing users to buy additional content, features, or services, such as virtual goods, subscriptions, or premium upgrades. These purchases provide a monetization strategy for developers while enhancing user experience. We analyzed whether apps offering in-app purchases request more permissions than those that do not, for both benign and malicious apps. The results, depicted in Figure 6, highlight several notable trends.

The results reveal a clear trend: malicious apps with in-app purchases consistently request more permissions than malicious apps without them, with the gap becoming especially pronounced in 2022 and 2023. This spike suggests that malicious developers may be using in-app purchase features as a cover to justify excessive permission access, potentially to harvest sensitive user data or enable hidden behaviors. Benign apps also tended to request more permissions when in-app purchases were present, although the pattern was less consistent and more modest in scale. This is likely due to legitimate functionality needs, such as enabling payment processing, account management, or unlocking premium features. Still, the trend indicates that even benign apps need to manage permission requests carefully to maintain user trust.

It is also notable that, even without in-app purchases, malicious apps generally requested more permissions than benign apps. This suggests that in-app purchases are not the only factor driving permission requests; rather, malicious apps are inherently more aggressive in their access demands. These findings highlight an important privacy concern: the blending of functional and potentially harmful permission usage. While in-app purchases often justify added permissions, malicious apps may exploit this as a disguise for intrusive behavior. This underscores the need for transparency from developers and stricter oversight from app marketplaces and regulators. Users should be cautious of apps requesting broad permissions, especially when paired with in-app monetization features.

Takeaways. Malicious apps with in-app purchases often request more permissions, posing significant privacy risks, while benign apps must ensure transparent justified permission requests to maintain user trust and security.

5.3.3. Content Ratings

We analyzed/investigated permission requests in apps across different content ratings over a five-year interval for both benign and malicious apps, as depicted in 

Table 11. Requested permissions in benign and malicious apps by content rating categories from 2019 to 2023. Teen (15–17), Mature (M17+), Everyone 10+ (E10+), and Everyone (E). ’A’ represents the number of applications for each category, and ’P’ indicates the total number of permissions requested by that category.

Year	Benign Apps								Malicious Apps
	15–17		M17+		E10+		E		15–17		M17+		E10+		E
	A	P	A	P	A	P	A	P	A	P	A	P	A	P	A	P
2019	28	285	6	92	7	71	254	1996	25	322	3	13	3	17	94	1001
2020	85	1284	17	240	16	218	618	8203	9	201	5	51	0	0	73	633
2021	76	1149	23	370	15	227	799	10,284	12	112	2	5	1	33	105	967
2022	84	1292	22	405	29	493	973	12,613	10	143	7	53	0	0	112	971
2023	62	1045	23	362	16	271	952	11,548	3	54	5	12	2	37	91	411

, to determine how permission request vary across content rating categories.

Content rating refers to an app’s age suitability and content guidelines, providing users with information about the appropriate age group for the app’s content. Our analysis categorizes apps into four content rating groups: “Teen 15–17”, “Mature 17+”, “Everyone 10+”, and “Everyone”. The Google Play Store defines these categories and helps users understand the intended audience of each app. The “Teen 15–17” category is for apps suitable for teenagers. “Mature 17+” is for adults due to mature content. “Everyone 10+” includes apps appropriate for a general audience aged 10 and above, and “Everyone” indicates apps suitable for all age groups. These ratings help users make decisions about the apps they download and use.

Our analysis revealed that benign apps generally request more permissions than malicious ones across all rating categories. This is mainly because there are more benign apps in the dataset, with the highest count appearing in 2023. For malicious apps, 2019 peaked in terms of both app count and permission requests, followed by a steady decline, particularly in the “Teen” and “Everyone” categories. This suggests that malicious developers may be scaling back permission requests in these categories to avoid scrutiny, especially when targeting younger users.

On the other hand, benign apps showed a sharp increase in both the number of apps and permission requests, especially in the “Teen” and “Everyone” categories. This likely reflects the growing complexity of these apps, which may require broader access to device functions to support new features or services.

The “Everyone” content rating category contained the highest number of apps and the largest overall count of permissions across both benign and malicious samples. While this category is intended for general audiences, our findings indicate that many apps within it, particularly benign ones, request a substantial number of permissions. This highlights the need for continued permission oversight as even widely accessible apps may exhibit extensive access to device resources.

These observations reinforce an important principle: developers should limit permission requests to those strictly necessary for core functionality, particularly when targeting children, teens, or broad user groups. In parallel, app marketplaces and regulators should provide and enforce clearer guidelines to ensure that permission usage is both justified and appropriate for the app’s intended audience and declared functionality.

Takeaways. Malicious apps request fewer permissions, while benign apps targeting younger users request more, highlighting the need for better oversight.

5.3.4. App Star Ratings

In our analysis, we analyzed permission requests in apps across different star ratings over a five-year interval for both benign and malicious apps as shown in 

Table 12. Number of malicious apps (A) and total permissions requested (P), categorized by the apps’ star ratings and year.

Year	✩✩✩✩✩		★✩✩✩✩		★✩✩✩✩		★★★✩✩		★★★★✩		★★★★★
	A	P	A	P	A	P	A	P	A	P	A	P
2019	62	730	0	0	6	105	18	106	28	315	1	16
2020	46	523	2	26	4	20	21	161	16	150	0	0
2021	69	788	0	0	8	91	12	22	30	443	0	0
2022	47	312	0	0	9	28	20	302	42	417	0	0
2023	41	190	0	0	10	64	10	70	28	149	1	12

and 

Table 13. Number of benign apps (A) and total permissions requested (P), categorized by the apps’ star ratings and year.

Year	✩✩✩✩✩		★✩✩✩✩		★✩✩✩✩		★★★✩✩		★★★★✩		★★★★★
	A	P	A	P	A	P	A	P	A	P	A	P
2019	315	1646	4	11	27	228	82	884	214	2655	8	74
2020	414	5687	4	23	23	261	110	1435	173	2436	7	51
2021	485	6238	4	83	38	442	139	1848	225	3251	5	40
2022	523	6237	7	160	68	858	199	2869	303	4666	1	3
2023	505	5459	10	98	54	560	196	2732	278	4200	8	113

. App star ratings reflect user feedback on the Google Play Store, typically ranging from 1 to 5 stars. They help indicate an app’s quality, reliability, and user satisfaction. Some apps may have zero stars, often because they are newly released or have received little to no user feedback.

Our analysis revealed distinct trends in permission requests across star ratings. In both benign and malicious apps, 0-star apps requested the highest number of permissions. These apps may include newer or less visible apps that have not yet been reviewed but still require broad access to device features. In benign apps, 4-star apps also showed high permission usage. These are typically well-rated, feature-rich applications, which may explain their need for more permissions to support a wide range of functions.

For malicious apps, we observed a general decline in permission requests over time, with fewer apps and lower permission usage across most star ratings. This aligns with previous observations that malicious apps may be scaling back permissions to avoid detection.

Conversely, benign apps showed a consistent increase in both app count and permission usage across all rating levels, especially in 0-star, 3-star, and 4-star apps. This likely reflects the growing complexity and functionality of newer apps and those maintaining moderate to high user engagement.

Overall, this trend highlights the need for users to remain cautious. Even highly rated apps can request extensive permissions, and 0-star apps, despite lacking visible user approval, often demand the most. Developers should remain transparent about why permissions are needed, and platforms should encourage best practices to prevent unnecessary or invasive access.

Takeaways. Benign apps increasingly request more permissions across all rating levels, especially at zero and four stars. Malicious apps are trending toward fewer permissions, likely to reduce detection.

5.3.5. App Installs

App installs represent the number of times an application has been downloaded from the Google Play Store. The install count is often seen as an indicator of popularity or trust, but it does not always reflect the app’s behavior in terms of permission usage.

We analyzed how permission requests vary across different install ranges, focusing on both benign and malicious apps. For malicious apps, the 10 K–500 K download range consistently requested the highest number of permissions, far exceeding both lower and higher download groups, as shown in Figure 7. This suggests that mid-range apps may be particularly risky, as they appear popular enough to attract users but remain under the radar of stricter scrutiny.

In contrast, high-download malicious apps (500K+) showed a notable decline in permission requests over time, possibly due to tighter policy enforcement or a strategic move to avoid raising red flags.

Benign apps exhibited more stable trends across all download ranges. While permissions in the 10 K–500 K range initially declined after 2019, the overall pattern remained consistent, as seen in Figure 8. High-download benign apps showed the most controlled and predictable permission behavior, aligning with user expectations for trustworthy, well-established apps.

This comparison highlights an important privacy concern: apps with mid-level popularity, especially malicious ones, may exploit their visibility to gain excessive access. Users often assume that more downloads means more safety, but this is not always the case. Vigilance is needed not only for unknown apps but also for those sitting in the middle tier of popularity.

Takeaways. Malicious apps in the 10K–500K download range request the most permissions, while high-download apps show more restraint. Benign apps are generally more consistent, but the install count does not guarantee safe permission practices.

5.3.6. App Sizes

App size refers to the amount of storage space an application takes on a device, typically measured in megabytes (MB). We examined whether apps of different sizes request more permissions and what implications that has for privacy and security.

Our analysis compared benign and malicious apps across four size groups: very small (0–10 MB), small (10–25 MB), medium (25–50 MB), and large (50+ MB). We found that medium-sized and large malicious apps consistently requested the most permissions overall, with a sharp spike in 2023. Notably, large malicious apps (50+ MB) jumped to 28 permissions on average that year, suggesting increased data access behavior among bigger malicious apps.

In contrast, benign apps demonstrated a stable and predictable pattern across all size categories. Medium-sized benign apps consistently requested the most permissions; large apps followed with moderate levels, and small or very small benign apps remained the most lightweight in terms of permission usage.

Very small and small malicious apps showed more erratic trends, including a noticeable drop in permissions in 2023 among very small apps. This inconsistency may point to varying strategies in how smaller malicious apps operate, sometimes attempting to appear less intrusive to avoid detection.

As shown in 

Table 14. Average permission requests for malicious (M) and benign (B) Android applications categorized by app size from 2019 to 2023.

App Size	2019		2020		2021		2022		2023
	M	B	M	B	M	B	M	B	M	B
Very Small Apps 0–10 MB	6	8	10	6	5	5	8	8	5	4
Small Apps 10–25 MB	10	9	9	8	6	8	9	7	8	9
Medium Apps 25–50 MB	14	11	14	10	10	9	17	7	19	11
Large Apps 50+ MB	9	9	7	7	7	8	12	7	28	7

, these findings suggest that malicious apps, particularly larger ones, are becoming more aggressive in permission use, possibly due to increased functionality or intent to access more sensitive data. Benign apps, on the other hand, continue to follow a more consistent and expected permission pattern.

Takeaways. Medium-sized and large malicious apps request the most permissions, with a sharp rise in 2023. Benign apps remain stable, with predictable permission use based on app size.

6. Discussion

This study examines the Android permission landscape, highlighting significant trends and patterns in permission requests across a diverse range of applications. The results reveal both malicious apps’ evolving strategies and the increasing complexity and functionality of benign apps. This further underlines the dynamic nature of app development and security challenges on the Android platform.

More Requests, More Challenges: Users who download an app from the Google Play Store see two screens. The first screen provides information such as the app’s description, reviews, and screenshots. The user must select “Install” to proceed to the next screen. The second screen displays the application’s permissions in a clear, organized format. Installing the application grants all requested permissions automatically. These permissions are categorized to indicate their functionality, potential security implications, and privacy risks. For example, permissions related to location services like ACCESS_FINE_LOCATION and ACCESS_COARSE_LOCATION are grouped together.

Users can find detailed information about the permission by clicking or tapping on it. This helps them understand the potential risks of installing the application. For example, the READ_CONTACTS permission includes the following description: “Allows the app to read data about your contacts stored on your device, including the frequency with which you have called, emailed, or communicated in other ways with specific individuals”. The significant number of requested permissions highlights the possibility that many users might ignore examining those requested permissions and justification [28,51], as seen with other domains (e.g., web).

Malware Requests: Android’s support for addressing malware includes sandboxing each application and alerting users about the permissions requested by the app [52,53]. Each application operates as a separate process within its virtual machine. It does not have the permissions required to perform actions or access resources that could negatively impact the system or other apps. For instance, an application cannot make phone calls, access calendar events, or modify Wi-Fi settings by default. However, an app can explicitly request these privileges through permissions, and this study highlights a range of demonstrations of such requests.

Less Permissions, More Maliciousness: One of the key findings from our analysis is the notable reduction in permission requests by malicious apps over the years. This trend suggests that malicious developers likely adopt more sophisticated techniques to avoid detection [54], possibly by strategically minimizing their permission footprint. This stealthy strategy highlights the ongoing cat-and-mouse game between app developers and security researchers, where improvements in detection methodologies lead to more subtle evasion tactics by malicious actors. This underscores the need for continuous security mechanism advancements to counteract these evolving threats effectively. In contrast, benign apps have shown increased permission requests, particularly for sensitive permissions such as location, audio recording, and fingerprint use. This trend is likely driven by modern applications’ growing complexity and feature sets, which require extensive permissions to deliver enhanced functionality. However, this raises privacy and security concerns, as users may grant access to sensitive data without fully understanding the implications. Our study emphasizes the importance of transparency and user education in permission management to mitigate the potential risks associated with excessive permission requests.

Ads and Privacy: The comparative studies conducted in this research offer deeper insights into how permissions are used across different app features and categories. For instance, apps that support advertisements or in-app purchases tend to request more permissions, which can be attributed to the need for these features to access various device functions and data. This finding highlights the need for careful monitoring and regulation of permission requests in ad-supported and commercial apps to protect user privacy. Additionally, our analysis revealed significant differences in permission requests across various app genres. For example, finance and business apps commonly request location and network permissions, while educational and productivity apps often require device management permissions. These insights provide a nuanced understanding of how different apps prioritize permissions based on their functionalities and user needs.

Dynamics and Oversight: The temporal scope of our study, spanning from 2019 to 2023, allowed us to capture trends in permission requests over time. While permissions for malicious apps generally decreased, benign apps showed a more complex pattern with fluctuations in permission requests. This indicates that regulatory changes, user expectations, and technological advancements might be crucial to shaping permission usage practices. Our findings underscore the critical need for continuous monitoring, user education, and oversight to ensure user privacy and security in app permissions.

Implications and Future Integration: To preserve user trust, permission systems must become more transparent and aligned with user intent. Ethical app design means asking only for what is needed, when it is needed, and providing clear justifications. Our findings suggest that app store policies could be updated to incorporate automated tools that assess permission behavior, recommend safer alternatives, or flag suspicious patterns during the submission process. By integrating these insights into vetting systems, platforms like the Google Play Store can promote safer, more privacy-conscious app ecosystems.

7. Limitations

AndroZoo: The dataset used was sourced from AndroZoo. Although we cross-referenced the apps with the Google Play Store to ensure that they were available in the market, this approach still does not fully capture the current diversity and state of the store. Newly released or region-specific applications not included in our dataset might not be reflected/represented in our findings, potentially affecting our results’ generalizability.

Static Analysis: We rely on decompiled APKs to extract permissions, which do not account for dynamic permission requests during app runtime [55]. This approach might overlook certain permissions that apps request after installation, underestimating permission usage. Additionally, our study compares permissions and specific app features such as advertisements, in-app purchases, content ratings, and app sizes. While this provides valuable insights, it does not explore other potentially influential factors like user reviews, developer reputation, or app update frequency. These factors could also impact permission requests and app behavior.

VirusTotal: We leverage VirusTotal to distinguish between malicious and benign apps. However, this method may not capture the full spectrum of app behaviors [56]. The classification of apps as benign or malicious is based on available datasets and might not reflect the nuanced behaviors that fall between these categories. This binary classification could simplify app behaviors’ complexity and associated risks. Moreover, while our study is extensive, its temporal scope spans from 2019 to 2023. It does not capture the early years of the Android ecosystem or the latest trends emerging post-2023. Rapid changes in app development practices could introduce new patterns in permission requests that our study does not capture.

Categorization: While we categorize permissions into higher-level semantic groups for structured analysis, this approach may overlook the unique implications of specific permissions [29]. Grouping permissions can simplify analysis but obscure individual permissions’ distinct risks and functionalities. Future research addressing these limitations could provide a more nuanced understanding of the Android permission landscape. This could help refine privacy and security practices in the mobile app ecosystem.

7.1. Recommendations

In today’s digital age, safeguarding privacy and security on mobile devices has become increasingly imperative. Android users, in particular, should protect their personal information from potential threats. To effectively enhance their privacy and security, users can adopt a series of proactive steps when dealing with app permissions on their Android devices:

• Review Permissions Before Installing Apps: Users should always check apps permissions before downloading them. They should be cautious of apps that ask for excessive or unnecessary permissions.
• Use App Store Reviews and Ratings: Users should look at reviews and ratings on official app stores. Apps with a high number of negative reviews mentioning privacy concerns or suspicious behavior should be avoided.
• Install Apps from Trusted Sources: Users should only download apps from official app stores like the Google Play Store. They should avoid third-party app stores that may not have strict security checks.
• Regularly Review App Permissions: Users should periodically check the permissions granted to installed apps and revoke any that seem unnecessary. Android settings allow users to manage and review app permissions.
• Use Security Software: Users should install reputable mobile security apps that detect and alert about potential threats and suspicious apps.
• Enable Google Play Protect: Users should enable this built-in feature to scan their device and apps for harmful behavior, helping to keep the device secure.

7.1.1. Identifying Malicious Apps Based on Permission Requests

Our analysis highlights several distinct trends that can aid in malware detection based on permission request patterns. These findings can also benefit users, enhancing their awareness through easily interpretable features that can be communicated to them.

• Excessive Permissions: Users should be wary of apps that request a large number of permissions, especially those that seem irrelevant to the app’s core functionality (e.g., a flashlight app requesting access to your contacts).
• Permissions for Sensitive Data: Users should be cautious of apps that ask for sensitive data access, such as access to their camera, microphone, location, and contacts, without a clear need. This should raise a red flag.
• Unusual Combinations of Permissions: Users should be cautious of apps requesting combinations of permissions that could compromise their privacy (e.g., access to contacts and messaging).
• Frequent Updates with New Permissions: Users should be aware that if an app frequently updates and each update requests updated permissions, this might be a sign of malicious intent.

7.1.2. Measures to Protect Privacy on Android

Protecting your privacy on Android devices is essential in an increasingly connected world. By taking proactive steps, you can safeguard your personal information and ensure a safer user experience. Here are some practical measures to enhance your Android privacy:

• Limit Data Sharing: Users should be selective about sharing personal information with apps. They should use the app’s settings to control what data it can access.
• Use Privacy-Focused Apps: Users should opt for apps known for their commitment to user privacy. They should look for apps with clear privacy policies and minimal permission requirements.
• Enable Two-Factor Authentication: Users should enable two-factor authentication (2FA) for apps and services that support it, adding an extra layer of security to their accounts.
• Regular Software Updates: Users should keep their operating system and apps updated to ensure that they have the latest security patches and features.
• Monitor App Behavior: Users should pay attention to how their apps behave. Sudden spikes in data usage, battery drain, or unusual behavior might indicate malicious activity.

8. Conclusions and Future Work

This study provides a comprehensive analysis of the Android permission landscape across app genres and time periods, distinguishing between benign and malicious apps. Our findings reveal that malicious apps typically request fewer permissions, likely as a strategy to evade detection, while benign apps request more diverse and larger permission sets to support enhanced functionality. Through the application of the FP-Growth algorithm, we uncovered frequent permission combinations and co-occurrence patterns, providing deeper insights into the behaviors of both benign and malicious apps. This analysis, conducted across the entire dataset, over five years (2019–2023), and within 16 app genres, highlighted distinct permission usage patterns, such as the more targeted and minimalistic combinations in malicious apps and the higher diversity in benign ones. Ad-supported and in-app purchase-enabled apps were found to request more permissions, raising ongoing privacy concerns. Over time, apps exhibited some privacy-conscious development trends; however, risky and excessive permissions persist, particularly in specific genres like communication and gaming. These findings emphasize the critical need for user vigilance, developer transparency, and regulatory enforcement to mitigate permission misuse. By identifying both individual and combined permission request behaviors, this research offers actionable insights to improve app development practices, enhance user education, and foster safer digital ecosystems.

Future Work: Future research can build on this study by exploring several areas. Longitudinal studies extending the time frame could reveal long-term trends in permission requests and their effects on privacy and functionality. Real-time analysis of user behavior in response to permission requests may offer insights into how developers adapt their permission strategies. Advanced machine learning techniques could predict security risks based on permission patterns, leading to tools that detect over-permissioned or malicious apps. Comparative analyses between Android and other mobile operating systems could identify best practices for permission management, while research into user education programs on app permissions could empower users to make more informed privacy decisions. Lastly, integrating association rule mining approaches like FP-Growth into broader security frameworks could enhance app screening processes, offering proactive protection against permission misuse.

Future research can also focus on translating this work’s findings into practical applications for developers and platform regulators. A possible direction is to develop automated tools that help developers audit their apps against the benign and malicious permission patterns we identified, promoting the use of minimal and necessary permissions. For platform regulators, a possible research field involves integrating our association rule mining methodology into app vetting systems to better detect subtle, low-permission profiles characteristic of malware. Another potential research direction is to leverage machine learning to build predictive models based on these permission patterns, creating supplementary security frameworks that enhance ecosystem safety and build on the direct insights of this analysis.