- Researchers from Ohio, New York, and Germany have analyzed 150k Android apps, finding hidden backdoors in 8.5% of them.
- Most of the risky apps come pre-installed on Samsung devices, which confirms the Samsung users’ worries.
- These apps aren’t malware, but some of them come with risky privilege escalation commands hidden in their code.
A team of academic researchers from the United States and Germany has analyzed a large number of Android applications (150,000) by using a custom tool called InputScope. This bulk input-validation analysis revealed that thousands of Android apps contain hidden backdoors, secret commands, code meant to achieve elevation of privileges, secret access keys, and master passwords, as well as hard-coded blacklists. One hundred thousand of these apps are the top user choices on Google’s Play Store, another 20,000 are the top apps in third-party app stores, and the remaining 30,000 are apps that come pre-installed on Samsung devices.
The results are very concerning, as the number of apps that feature risky hidden code inside is pretty large. Here is an overview of what the InputScope yielded:
- Apps containing hidden backdoors: 12,706
- Apps containing secret access keys: 7,584
- Apps containing secret commands: 6,013
- Apps containing secret blacklists: 4,028
Here’s a real world example we were able to find. If you tap 13 times on the version number, you get a password prompt. Enter in the Konami Code, and you get a hidden debug menu! pic.twitter.com/ixOuz6vmib
— Brendan Dolan-Gavitt (@moyix) March 31, 2020
To set things straight, seeing “Easter eggs” in software – and especially games – isn’t anything out of the ordinary. However, many of the hidden functions that were discovered by the research team were genuinely risky. Having ways to escalate privileges on a device, for example, could never qualify as innocuous. It is also important to mention that 16% of the apps that feature secret backdoors are those that come pre-installed on Samsung devices, which is very worrying.
In January, we discussed why the community was calling Samsung to remove “Qihoo 360” bloatware from their devices, and this latest research comes to confirm the customers’ unease. Samsung devices are considered premium, and the Korean smartphone maker should treat its customers with more respect, at least giving them the option to remove these pre-installed apps.
The team that conducted the research informed the developers of the apps they considered as most dangerous for users, but the majority didn’t bother to respond. The researchers decided not to reveal the names of the apps in their study, but they did mention that some of them have tens of millions of installations. Also, the backdoor-planting practice spreads over a broad spectrum of app categories, including tools, games, shopping apps, education aids, social media platforms, productivity apps, etc. The problem is clearly very extensive, and Google will have to do a lot of work to address it. These apps may not be straight-out malware, but they are still coming with potentially severe risks for their users.