Extensive academic research has discovered hidden backdoors in 12,706 Android applications. These include secret access keys, master passwords and secret commands found in 6,800 Play Store apps, 1,000 apps from third-party app stores and nearly 4,800 pre-installed apps.
Academics from Europe and the United States developed an application called InputScope (link to paper), which they used to analyse input form fields in over 150,000 Android applications. The research team surveyed the top 100,000 Play Store apps installed, the top 20,000 applications from third-party app stores and more than 30,000 apps pre-installed on Samsung phones.
The researchers speak of a ‘worrying situation’ and say that these backdoor functionalities can give unauthorised access to user accounts. If someone has physical access to a device and one of these apps is installed, he or she can allow other people to access the device or execute code on the device with increased permissions. This is possible because of the hidden commands in the app’s input fields to bypass security measures.
The research team said they had notified all app developers if hidden backdoors and other unintended features had been discovered. Incidentally, not every developer responded to the discoveries. As a result, the names of applications whose developers did not respond were not mentioned to protect their users.
Examples
The research team found a popular app to use the device as a remote control (10 million installations) that contains a master password to unlock access. Even if the original owner locks the phone remotely when the device is lost.
“We also discovered a popular screen lock app (5 million installations) that contains an access key to reset the passwords of random users to allow them to enter the system,” said the researchers.
Not everything is a danger to users. Innocent easter eggs and debug menus have also been found, as is the case in this example. The research team also accidentally found 4028 Android applications using the InputScore tool that used input blacklists, such as a filter for inappropriate words or political statements.