A new study claims that thousands of Android apps may come with input-triggered secrets such as backdoors and blacklists of unwanted items. A total of 150,000 apps have been analysed using a newly developed tool called InputScope. Out of these, 12,706 apps were found to have presence of backdoors, and over 4,028 apps seem to be checking for blacklisted words. From the 150,000 apps, 100,000 apps were from Google Play Store and 30,000 apps were pre-installed ones on Samsung phones.
The new study comes from researchers at Ohio State University, New York University, and the Helmholtz Center for Information Security (CISPA). These researchers analysed these 150,000 apps using an analysis tool called InputScope. This tool helped in automatic detection of both the execution context of user input validation and the content involved in the validation to automatically expose hidden functionality. As mentioned, the pool of apps had Android apps from Google Play Store, pre-installed apps from Samsung phones, and 20,000 apps from Chinese market Baidu as well.
The test uncovered 12,706 mobile apps containing backdoor secrets and 4,028 mobile apps containing blacklist secrets. Undocumented backdoors include secret access keys, master passwords, and secret privileged commands, and blacklists of unwanted items include censorship keywords, cyber-bulling expressions, and weak passwords.
The study also showed that pre-installed apps showed more unethical backdoors behaviours than other apps. The percentage of undocumented backdoor instances on pre-installed apps was around 16 percent, while Google Play Store apps were at 6.8 percent. Baidu apps were at 5.3 percent – the least of the lot. For blacklisting, 4.5 percent of apps were from Baidu, 3.9 percent apps were from pre-installed apps, and 2 percent apps were from Google.
These secret backdoors and blacklists on apps can allow for remote login, reset user passwords, stop users from accessing content, and let hackers bypass payment interfaces. All of these exist without any user knowledge, and this poses as another great threat in the chaotic Android ecosystem.