Undoubtfully this is shocking news for all of us! Academic researchers was able to find a peculiar behavior in more than 6,800 Play Store apps, 1,000 apps from third-party App Stores and more than 4,800 apps that were pre-installed on the devices which were similar to backdoor behaviors "that are not publicly disclosed to users". The comprehensive study was made public this week and it showed us the undisclosed backdoor behavior for example master passwords, secrete access keys and secret commands. This was found in over 12,700 Android Apps.
To discover these behaviors; the academic researchers from the United States and the United Kingdom came together and created a custom tool which was called ‘InputScope’. This tool was used by the researchers to analyze the input from all fields inside the Android applications which were more than 150,000. If we talk with more precession; the researchers analyzed the top 100,000 apps of Play Store (basing on their download rate), they analyzed the top 20,000 apps from third party App Stores and they analyzed more than 30K apps which were pre-installed on Samsung devices.
Their analysis showed that there was a ‘concerning situation’; that more than 12,700 apps had many backdoors like master passwords, secret commands, and secret access. The problem with these backdoors is that hackers can easily gain the authority of one’s app without authorization and use their accounts. What is more; that is someone hacks into one of the apps on someone’s phone then they can hack the whole phone. They can access the phone and can run codes on the devices for privileges because of the hidden secrete command feature present on the app’s input field.
An example of this bug was elaborated by the researchers. When they manually examined some of the apps they found that one of the most popular remote control apps (with 10 million installations) contained a master password feature that can unlock the device when the device is locked by the user remotely when the device gets lost. They also found that a screen locker app (with 5 million installations) uses an access key to reset the users’ passwords and to unlock the screen to enter the system. Another streaming app was found which had an access key to enter the admin interface. Finally, a transaction app was found that had a secret key for bypassing the payment for the advanced services (to remove ads from the app).
The above examples of a security manipulation show that some of the apps are a danger to the safety and privacy of the users. However, some apps also don’t have any suspicious or backdoor behavior. Since the academic team found these undisclosed behaviors; they were also able to find which apps employ ‘bad word filter’ or political motivation blacklists. So, in total, the researchers found more than 4,000 Android apps that had blacklist input and that can be really dangerous for user’s security.
Read next: Research Reveals Android APIs With Sinister Privacy Implications
To discover these behaviors; the academic researchers from the United States and the United Kingdom came together and created a custom tool which was called ‘InputScope’. This tool was used by the researchers to analyze the input from all fields inside the Android applications which were more than 150,000. If we talk with more precession; the researchers analyzed the top 100,000 apps of Play Store (basing on their download rate), they analyzed the top 20,000 apps from third party App Stores and they analyzed more than 30K apps which were pre-installed on Samsung devices.
Their analysis showed that there was a ‘concerning situation’; that more than 12,700 apps had many backdoors like master passwords, secret commands, and secret access. The problem with these backdoors is that hackers can easily gain the authority of one’s app without authorization and use their accounts. What is more; that is someone hacks into one of the apps on someone’s phone then they can hack the whole phone. They can access the phone and can run codes on the devices for privileges because of the hidden secrete command feature present on the app’s input field.
An example of this bug was elaborated by the researchers. When they manually examined some of the apps they found that one of the most popular remote control apps (with 10 million installations) contained a master password feature that can unlock the device when the device is locked by the user remotely when the device gets lost. They also found that a screen locker app (with 5 million installations) uses an access key to reset the users’ passwords and to unlock the screen to enter the system. Another streaming app was found which had an access key to enter the admin interface. Finally, a transaction app was found that had a secret key for bypassing the payment for the advanced services (to remove ads from the app).
Here’s a real world example we were able to find. If you tap 13 times on the version number, you get a password prompt. Enter in the Konami Code, and you get a hidden debug menu! pic.twitter.com/ixOuz6vmib— Brendan Dolan-Gavitt (@moyix) March 31, 2020
The above examples of a security manipulation show that some of the apps are a danger to the safety and privacy of the users. However, some apps also don’t have any suspicious or backdoor behavior. Since the academic team found these undisclosed behaviors; they were also able to find which apps employ ‘bad word filter’ or political motivation blacklists. So, in total, the researchers found more than 4,000 Android apps that had blacklist input and that can be really dangerous for user’s security.
Read next: Research Reveals Android APIs With Sinister Privacy Implications
