Malware

Experts uncovered hidden behavior in thousands of Android Apps

A group of security researchers has found thousands of Android apps containing hidden backdoors and blacklists.

Researchers from The Ohio State University, New York University, and CISPA Helmholtz Center for Information Security analyzed thousands of mobile applications for Android and discovered dangerous behavior, including backdoors and blacklists.

“While these apps have rich and useful functionality that is publicly exposed to end users, they also contain hidden behaviors that are not disclosed, such as backdoors and blacklists designed to block unwanted content” reads the paper published by the experts.

The experts devised a tool, named INPUTSCOPE, that allows them to inspect the Android apps and find any suspicious behavior by detecting the execution context of user input validation and also the content involved in the validation.

“We find that input validation in mobile apps can be used to expose input triggered secrets such as backdoors and blacklist secrets, and that input-dependent hidden functionality is widespread in Android apps,” continues the researchers.

Experts analyzed more than 150,000 Android applications, including the top 100,000 apps from the official Google Play, the top 20,000 apps from an alternative store, and 30,000 pre-installed apps extracted from Samsung smartphones’ firmware.

The experts discovered 12,706 applications (8.47%) containing some sort of backdoors (secret access keys, master passwords, and secret commands providing access to admin-only functions), and 4,028 apps (2.69%) that include blacklist secrets, which would block content based on specific keywords subject to censorship, cyber bullying or discrimination.

“we first identified 114,797 mobile apps that contain equivalence checking. Note that an app can detect whether a user input is empty by simply checking whether the input is equivalent to an empty string.” continues the paper. “There are 34,958 mobile apps that perform these empty-only checks, and we thus exclude them from further analysis. In the remaining 79,839 mobile apps, INPUTSCOPE identified 4,028 apps containing blacklist secrets and 12,706 apps containing backdoor secrets. There are 7,584 apps with secret access keys, 501 apps that embed master passwords, and
6,013 apps with secret commands. Moreover, these security risks hold generally across all of our data sources. Specifically, the prevalence of backdoor secrets in apps is 6.86%, 5.32%, and 15.96% on the Google Play store, the alternative market, and pre-installed apps, respectively, and the percentage of apps containing blacklist secrets in these three data sources are 1.98%, 4.46%, and 3.87%.”

The experts discovered access keys that could be used to access applications’ admin interface, and master passwords, as well as secret commands, in thousands of applications. Some of the commands discovered by the experts could be used to trigger hidden functions.

The researchers also found blacklists targeted content in Chinese, English and Korean.

The experts reported the issue to the development teams behind the app after validating their discoveries manually, but unfortunately many of them have yet to fix the issues found by the experts.

“While input validation has been well studied in vulnerability discovery, in this paper we have demonstrated that input validation can also have another important application, namely exposing input-triggered secrets such as backdoors (e.g., secret access keys, master passwords, and secret privileged commands) and blacklists of unwanted items (e.g., censorship
keywords, cyber-bulling expressions, and weak passwords).” the researchers conclude.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – malware, Android apps)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

4G Calling (VoLTE) flaw allowed to locate any O2 customer with a phone call

A flaw in O2 4G Calling (VoLTE) leaked user location data via network responses due…

8 hours ago

China-linked UnsolicitedBooker APT used new backdoor MarsSnake in recent attacks

China-linked UnsolicitedBooker used a new backdoor, MarsSnake, to target an international organization in Saudi Arabia.…

14 hours ago

UK’s Legal Aid Agency discloses a data breach following April cyber attack

The UK’s Legal Aid Agency suffered a cyberattack in April and has now confirmed that…

17 hours ago

Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion Gang

Cybersecurity Observatory of the Unipegaso's malware lab published a detailed analysis of the Sarcoma ransomware.…

19 hours ago

Mozilla fixed zero-days recently demonstrated at Pwn2Own Berlin 2025

Mozilla addressed two critical Firefox vulnerabilities that could be potentially exploited to access sensitive data…

1 day ago

Japan passed a law allowing preemptive offensive cyber actions<gwmw style="display:none;"></gwmw>

Japan passed a law allowing preemptive offensive cyber actions, shifting from its pacifist stance to…

2 days ago