An integrated team of researchers from Ohio State University, New York University and the CISPA Helmholtz Information Security Center conducted a large-scale study, examining a total of more than 150,000 applications. Including from Google Play (100,000 best applications from the store), applications from alternative sources (20,000 applications), and pre-installed applications on devices (approximately 30,000 applications extracted from Samsung smartphone firmware).
To conduct the analysis, the experts created a special tool called INPUTSCOPE. It is intended to analyze the context of the execution of user input validation, as well as the content involved in this validation.
“We believe that input validation in mobile applications can be used to reveal secrets, such as secret badors, secret blacklists, as well as hidden functionality that provides access only to administrator functions and is associated with input, which is widespread in Android applications "- experts write in his report.
Analysis performed using INPUTSCOPE showed that 12,706 applications contain various backdoors, including secret access keys, master passwords and secret commands. All this, according to analysts, can help attackers gain unauthorized access to user accounts. In addition, if an attacker has physical access to the device on which one of these applications is installed, he will be able to provide access to the device and third parties, as well as allow them to run code on the device with elevated privileges (thanks to hidden secret commands present in the input fields )
In total, experts identified more than 6,800 applications with hidden backdoors and features in the Play Store, more than 1,000 in third-party application stores, and almost 4,800 suspicious applications that were pre-installed on Samsung devices.
“Having studied several mobile applications manually, we found that the popular application for remote control (more than 10,000,000 installations) contains a master password that can unlock access even with the remote lock set by the phone’s owner in case the device is lost,” experts say.
They also found that another popular screen lock application (5,000,000 installations) uses an access key to reset passwords of arbitrary users in order to be able to unlock the screen and log in.
Another streaming application (5,000,000 installations) contains an access key to enter the administrator interface, with which an attacker can change the application settings and unlock additional functions.
And finally, the popular translation application (1,000,000 installations) contains a secret key that is used to bypass payment for advanced functionality, including removing ads in the application.
Here’s a real world example we were able to find. If you tap 13 times on the version number, you get a password prompt. Enter in the Konami Code, and you get a hidden debug menu! pic.twitter.com/ixOuz6vmib
– Brendan Dolan-Gavitt (@moyix) March 31, 2020
As can be seen from the examples cited by the research team, some problems clearly pose a threat to the security of the user and the data stored on the device, while others are just harmless Easter eggs or debugging functions that accidentally entered the working version.
Even before the publication of the report, analysts notified of their research to all application developers in which hidden behavior or mechanisms similar to backdoors were discovered. Alas, not all developers responded, although some applications were still edited and got rid of hidden functionality.
It is also worth noting that INPUTSCOPE analyzed input fields in applications, and a by-product of this study was the discovery of applications that use hidden profanity filters or politically motivated blacklists. In all, 4028 Android applications were found that have hidden blacklists for input fields. Blacklists were intended for content in Chinese, English and Korean and varied in size: from 7 to 10,000 items in the list.