A comprehensive academic study published this week has discovered hidden backdoor-like behavior — such as secret access keys, master passwords, and secret commands — in more than 12,700 Android applications.
To discover this hidden behavior, academics from Europe and the US developed a custom tool named InputScope, which they used to analyze input form fields found inside more than 150,000 Android applications.
More precisely, academics analyzed the top 100,000 Play Store apps (based by their number of installations), the top 20,000 apps hosted on third-party app stores, and more than 30,000 apps that came pre-installed on Samsung handsets.
“Our evaluation uncovered a concerning situation,” the research team said. “We identified 12,706 apps containing a variety of backdoors such as secret access keys, master passwords, and secret commands.”
Researchers say these hidden backdoor mechanisms could allow attackers to gain unauthorized access to users’ accounts. Further, if the attacker has physical access to a device and one of these apps was installed, it could also grant attackers access to a phone or allow them to run code on the device with elevated privileges (due to the hidden secret commands present in the app’s input fields).
Some examples of hidden backdoor-like mechanisms
“Nor are such cases hypothetical,” the research team said, referring to one particular example.
“By manually examining several mobile apps, we found that a popular remote control app (10 million installs) contains a master password that can unlock access even when locked remotely by the phone owner when [the] device is lost,” researchers said.
“Meanwhile, we also discovered a popular screen locker app (5 million installs) uses an access key to reset arbitrary users’ passwords to unlock the screen and enter the system.
“In addition, we also found that a live streaming app (5 million installs) contains an access key to enter its administrator interface, through which an attacker can reconfigure the app and unlock additional functionality.
“Finally, we found a popular translation app (1 million installs) contains a secret key to bypass the payment for advanced services such as removing the advertisements displayed in the app.
Here’s a real world example we were able to find. If you tap 13 times on the version number, you get a password prompt. Enter in the Konami Code, and you get a hidden debug menu! pic.twitter.com/ixOuz6vmib
— Brendan Dolan-Gavitt (@moyix) March 31, 2020
As can be seen from the examples provided by the research team, some issues clearly pose a danger to the user’s safety, and the data stored on the device, while others were just harmless Easter eggs or debugging features that accidentally made it into production.
In total, researchers said they found more than 6,800 apps with hidden backdoors/functions on the Play Store, more than 1,000 on third-party stores, and almost 4,800 apps that came pre-installed on Samsung devices.
The research team said they notified all the app developers where they found hidden behavior or a backdoor-like mechanism. However, not all app devs responded.
As a result, some of the apps that were provided as examples in the team’s white paper have had their names redacted to protect their users.
Additional details about the research are available in a scientific paper entitled “Automatic Uncovering of Hidden Behaviors FromInput Validation in Mobile Apps,” published by researchers from Ohio State University, New York University, and the CISPA Helmholtz Center for Information Security from Germany.
Since the InputScore tool analyzed input fields inside Android apps, a side-effect of this research was that the academic team also discovered which apps employed hidden bad word filters or politically-motivated blacklists. In total, researchers said they found 4,028 Android apps that featured input blacklists.