Experts uncovered hidden behavior in thousands of Android Apps

A group of security researchers has found thousands of Android apps containing hidden backdoors and blacklists.

Researchers from The Ohio State University, New York University, and CISPA Helmholtz Center for Information Security analyzed thousands of mobile applications for Android and discovered dangerous behavior, including backdoors and blacklists.

“While these apps have rich and useful functionality that is publicly exposed to end users, they also contain hidden behaviors that are not disclosed, such as backdoors and blacklists designed to block unwanted content” reads the paper published by the experts.

The experts devised a tool, named INPUTSCOPE, that allows them to inspect the Android apps and find any suspicious behavior by detecting the execution context of user input validation and also the content involved in the validation.

“We find that input validation in mobile apps can be used to expose input triggered secrets such as backdoors and blacklist secrets, and that input-dependent hidden functionality is widespread in Android apps,” continues the researchers.

Experts analyzed more than 150,000 Android applications, including the top 100,000 apps from the official Google Play, the top 20,000 apps from an alternative store, and 30,000 pre-installed apps extracted from Samsung smartphones’ firmware.

The experts discovered 12,706 applications (8.47%) containing some sort of backdoors (secret access keys, master passwords, and secret commands providing access to admin-only functions), and 4,028 apps (2.69%) that include blacklist secrets, which would block content based on specific keywords subject to censorship, cyber bullying or discrimination.

“we first identified 114,797 mobile apps that contain equivalence checking. Note that an app can detect whether a user input is empty by simply checking whether the input is equivalent to an empty string.” continues the paper. “There are 34,958 mobile apps that perform these empty-only checks, and we thus exclude them from further analysis. In the remaining 79,839 mobile apps, INPUTSCOPE identified 4,028 apps containing blacklist secrets and 12,706 apps containing backdoor secrets. There are 7,584 apps with secret access keys, 501 apps that embed master passwords, and
6,013 apps with secret commands. Moreover, these security risks hold generally across all of our data sources. Specifically, the prevalence of backdoor secrets in apps is 6.86%, 5.32%, and 15.96% on the Google Play store, the alternative market, and pre-installed apps, respectively, and the percentage of apps containing blacklist secrets in these three data sources are 1.98%, 4.46%, and 3.87%.”

The experts discovered access keys that could be used to access applications’ admin interface, and master passwords, as well as secret commands, in thousands of applications. Some of the commands discovered by the experts could be used to trigger hidden functions.

The researchers also found blacklists targeted content in Chinese, English and Korean.

The experts reported the issue to the development teams behind the app after validating their discoveries manually, but unfortunately many of them have yet to fix the issues found by the experts.

“While input validation has been well studied in vulnerability discovery, in this paper we have demonstrated that input validation can also have another important application, namely exposing input-triggered secrets such as backdoors (e.g., secret access keys, master passwords, and secret privileged commands) and blacklists of unwanted items (e.g., censorship
keywords, cyber-bulling expressions, and weak passwords).” the researchers conclude.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – malware, Android apps)

[adrotate banner=”5″]

[adrotate banner=”13″]