A new study that includes the 100,000 most popular Android apps on the Google Play Store has found a variety of undocumented backdoor abilities in nearly 10% of them. The apps quietly give the developer a range of permissions that are not immediately apparent to the host device; these include the ability to remotely reset user passwords, block users from loading certain types of content, and in at least one case even granted full administrative access.
The secrets hidden in popular Android apps
The study, conducted by researchers from The Ohio State University and New York University with assistance from the CISPA Helmholtz Center for Information Security of Germany, scrutinized 150,000 Android apps in total by using a custom tool to examine input fields. In addition to the 100,000 most-downloaded mobile apps from the Google Play Store, the study included 30,000 apps that are pre-installed on various Samsung devices and 20,000 popular apps on China’s Baidu App Store.
The apps in question are not installing malware or exfiltrating files, but were found to give the developers various access capabilities that are not disclosed to the end user. Most of these are some sort of “master key” ability that allows for remote unlocking of an app or reset of a user’s password. Several thousand apps also have the ability to remotely execute hidden commands; these are mostly used for debugging, but in some cases an app developer could remotely clear the user’s cache or their account settings.
The study also found that hidden blacklists are present in thousands of Android apps. These are lists of 7 to around 10,000 keywords used to filter displayed content and search results.
Out of the 150,000 apps tested, 12,706 had some sort of hidden ability that fell into one of these categories. The percentage of apps on Google Play and Baidu that have these sorts of capabilities is around 6% to 7%; that number more than doubles to 16% among pre-installed “bloatware” apps on Samsung devices. 4.5% of Baidu apps, 3.9% of Samsung apps and 2% of Google Play apps in the study — 4,028 apps in total — had hidden blacklists. In some apps, the blacklisted words included obvious elements of political suppression.
The study did not name specific Android apps with these capabilities, but in a few cases provided enough details to make educated guesses. For example, it cites a “popular file encryption app with 500,000+ installs” that contains a backdoor master password, and a live streaming app with five million installs that allows for remote access to the administrator interface.
In some cases, these backdoor abilities are not entirely to the benefit of the app developer. The study cites several examples of apps that have hidden commands that can be exploited in various ways to obtain illicit access to a premium paid level of services.
In addition to giving app developers concerning and undisclosed access to the devices of users, the presence of backdoors could potentially be leveraged by attackers. A particular concern is an attacker with physical access to the phone or tablet, as some of these hidden commands could be exploited to grant elevated privileges and enable the execution of new code.
In some cases, access to these hidden backdoor functions is trivial for anyone with physical access to the phone. One of the researchers shared a video on Twitter demonstrating how a hidden debug menu in the NBC Sports app can be accessed by tapping on the version number 13 times. This prompts the user for a password, which turns out to be the widely-known “Konami Code” used to enable cheats in video games.
Not all of these backdoors were placed with malicious intent, or for the purpose of data harvesting. Many app developers may not even be aware that they are still present. The study suggests that thousands of these hidden functionalities can be attributed to a simple failure to thoroughly wipe the app of debugging features before making it available to the public. The researchers posit that many app developers have underestimated the threat of reverse engineering and hope that the study makes it clear to them.
Ongoing issues with pre-installed apps
This is not the first time that unnecessary “bloatware” apps have been found to be causing problems beyond merely taking up space.
The Android apps that come preloaded on various devices are able to exist outside of the Google Play Store’s security framework as they never have to pass through it. That means that device manufacturers are free to install apps that have backdoor abilities that would be considered out of bounds for any app listed on the Play Store; chiefly, the ability to access input devices like the camera and microphone without the standard mandatory notification to the user.
Vendors vary greatly in their use of bloatware Android apps. Samsung was most likely chosen as a focus of this study as the manufacturer goes farther than most with its ecosystem of pre-installed Android apps, openly advertising it as a “feature” of their devices. These apps often cannot be entirely disabled or removed from the device by normal means. Pre-installed apps for third-party services are also often “custom versions” that are not officially supported and cannot be upgraded to more recent versions.