Thousands of mobile applications for Android contain hidden behavior such as backdoors and blacklists, a group of researchers has discovered.
With smartphones being part of our every-day lives, millions of applications are being used for a broad variety of activities, yet many of these engage in behaviors that are never disclosed to their users.
Set to discover such behaviors, researchers from The Ohio State University, New York University, and CISPA Helmholtz Center for Information Security came up with a tool that can detect “the execution context of user input validation and also the content involved in the validation,” thus finding any secrets of interest.
Called INPUTSCOPE, the tool was then tested with more than 150,000 Android applications from Google Play (the top 100,000 apps from the storefront), an alternative market (20,000), and pre-installed on devices (30,000 apps extracted from Samsung smartphones’ firmware).
“We find that input validation in mobile apps can be used to expose input triggered secrets such as backdoors and blacklist secrets, and that input-dependent hidden functionality is widespread in Android apps,” the researchers say in their whitepaper (PDF).
The research uncovered 12,706 applications (8.47%) with backdoor secrets (secret access keys, master passwords, and secret commands providing access to admin-only functions), and 4,028 apps (2.69%) that contain blacklist secrets (they would block content based on keywords subject to censorship, cyber bullying or discrimination).
INPUTSCOPE has revealed access keys that provide access to applications’ admin interface (allowing configuration changes that are not available to regular users), that allow the recovery or reset of regular users’ passwords, or that can be used to purchase in-app advanced services for free.
Additionally, the research identified hundreds of master passwords, as well as secret commands in thousands of applications, including commands for debugging and for triggering hidden functions unknown to regular users.
The observed blacklists targeted content in Chinese, English and Korean and varied in size from more than 10,000 items to only 7 items in the list.
The researchers also note that they validated the discoveries manually and then contacted the application developers to disclose the issues that were verified. However, not all developers have addressed these issues as of now.
“The hidden functionality that INPUTSCOPE has identified can have severe consequences to either app users or developers, and these apps need to be patched by app developers,” the researchers note.