This study addresses critical security weaknesses in Android’s permission system, where automatic group-based grants and silent issuance of normal-level custom permissions undermine user informed consent. By analyzing 19.3 million APKs from AndroZoo and validating findings on physical devices, we demonstrate for the first time that silent privilege escalation within permission groups is significantly correlated with malicious apps—malware exhibits a 35% higher likelihood of such escalation, rising to 106% among high-privilege applications. Furthermore, we identify 307 cross-developer custom permission pairs that inadvertently expose sensitive data. Leveraging only public APIs, we implement a lightweight runtime monitoring prototype that, over 96 days, successfully detected 23 silent escalation events across 13 applications, proving that effective transparency can be achieved without modifying the Android system.

Android's permission system is designed to balance usability with informed consent, yet two legacy mechanisms still undermine that balance in Android 16: (i) permission groups that silently auto-grant new permissions within a group after a user's initial approval, and (ii) normal-level custom permissions that are auto-granted at install and enable cross-app access with no user visibility. We conduct a longitudinal analysis of 19.3 million APKs spanning 5.97 million unique apps (distinct package identifiers) from the AndroZoo repository, combined with on-device validation on Android 16. Among 2,244,575 multi-version apps, 381,026 (17%) silently gain permissions within already-granted groups. Using VirusTotal detections with primary threshold t=20, apps flagged as malware expand within groups at a higher rate than benign apps (odds ratio = 1.35, p < 0.001); the association holds across every tested threshold and concentrates in permission-heavy apps (OR = 2.06 in the top quartile). We also identify 307 cross-developer normal-custom-permission pairs that expose contacts, SMS, location, authentication credentials, user identity, and medical records to unrelated apps without any user prompt. A lightweight prototype built on public Android APIs recorded 23 silent expansion events across 13 apps during a 96-day single-device pilot, showing that update-time transparency is reachable without OS modification. Our results show that consent erosion persists despite a decade of platform hardening and affects apps ranging from obscure utilities to widely deployed and pre-installed software.