A new study has emerged which has claimed that thousands of Android apps may have input-triggered secrets like backdoors and blacklists of keywords and other unwanted items. A newly developed tool called InputScope has analysed a total of 1,50,000 apps and has found 12,706 apps have backdoors, and over 4,028 apps were seemingly checking for blacklisted words. From the 1,50,000 apps, around 1,00,000 apps were from the Google Play Store, and about 30,000 apps were found pre-installed on Samsung phones.
The latest study comes courtesy of researchers from the Ohio State University, New York University, and the Helmholtz Center of Information Security (CISPA). The researchers have analysed these 1,50,000 apps using an analysis tool which is called InputScope. The tool has helped in the detection of both execution context of the user, input validation, and the content which is involved in the validation of automatically exposing hidden functionality. The pool of apps had Android apps from the Google Play Store, pre-installed apps from Samsung phones, and 20,000 apps from the Chinese market Baidu as well.
The test found that 12,706 mobile apps possessed backdoor secrets and 4,028 mobile apps had blacklist secrets. The undocumented backdoors featured secret access keys, master passwords, and secret privileged commands, and blacklists of unwanted items include censorship keywords, cyber-bullying expressions, and weak passwords.
The secret backdoors and blacklists on apps can be exploited and could assist in remote login, resetting user passwords, stopping users from accessing content, and letting hackers bypass payment interfaces. All of these features exist without any user knowledge, and this could pose a great threat in the chaotic Android ecosystem.
The study states, “INPUTSCOPE relies on static analysis with a set of security policies to identify a variety of secrets that can trigger hidden behaviours within an app. To better understand these behaviours and evaluate the accuracy of our secret uncovering policies, we manually analyzed the top popular apps. More specifically, we first decompiled each app and inspected its code to identify whether the secret values we discovered can actually trigger actions (e.g., invoking methods). If so, then we moved on to understand the purpose of this action by reading the code as well as finding the correct way to navigate the app and try to trigger the action for dynamic verification.
Among the total number of 70 apps we have manually analyzed with our best effort and understanding, we have identified 1 misclassification and 8 false positives, resulting in an accuracy of 87.14 per cent. In particular, a false positive in this study refers to an extracted value that (i) cannot trigger actions, (ii) triggers behaviours that can be achieved by normal operations, or (iii) where the triggered action is benign even though it cannot be triggered normally. In our manual analysis, we have identified 8 false-positive cases where 6 of them are flagged as backdoor secrets of access keys and 2 as secret commands. Specifically, three false positives occur because the identified values will not trigger actions in practice because of conflicting constraints along the execution path; the other three false positives are caused by misclassifying benign behaviour: two cases where the values are used for benign “Easter eggs”, and one where they are used to provide (benign) special location-based services.
The remaining two false positives were both identified as hidden commands: the identified commands for one app are a set of shortcuts for normal operations, and the other one uses hidden commands to change UI rendering. In addition, we also noticed 1 misclassification case where a set of secret commands has been flagged as blacklist secrets.”