Starting from Android API 23, Android apps need to request appropriate runtime permissions before accessing restrict data or performing restrict actions, such as reading files or taking photos. Further, users can revoke the permissions that were previously granted to an app in system settings later or even during runtime of the app by keeping the app in background, going to system settings to disable the permissions, and returning back to the app. This can cause an app to crash if the app doesn't handle the runtime permissions carefully. To automatically detect the crashes related to runtime permissions, this paper proposes an approach in which a crawler is first used to explore and detect permission crashes of Android apps systematically. During the exploration, a state model is also produced. Based on the model, test paths related to runtime permissions are generated. These test paths are further injected with operations to revoke the already granted permissions and executed using a test runner directly to detect the crashes that can occur if users disable the granted permissions manually. The experimental results show that the proposed approach can detect runtime permission crashes effectively.