Researchers at the Helmholtz Center for Information Security (CISPA), Ohio State University and New York University study of hidden functionality in applications for the Android platform. Analysis of 100 thousand mobile applications from the Google Play catalog, 20 thousand from the alternative catalog (Baidu) and 30 thousand applications pre-installed on various smartphones, selected from 1000 firmware from SamMobile, that 12706 (8.5%) programs contain functionality hidden from the user, but activated with the help of special sequences, which can be attributed to backdoors.
Specifically, 7584 apps included built-in secret access keys, 501 included built-in master passwords, and 6013 included hidden commands. Problematic applications are found in all the considered software sources β in percentage terms, backdoors were detected in 6.86% (6860) of the studied programs from Google Play, in 5.32% (1064) from the alternative catalog, and in 15.96% (4788) from the list of pre-installed applications. The identified backdoors allow anyone who knows the keys, activation passwords and command sequences to gain access to the application and all data associated with it.
For example, a sports streaming app with 5 million installs found a built-in admin key to change app settings and access additional functionality. A passkey has been found in a screen lock app with 5 million installs that allows you to reset the password set by the user to lock the device. The 1 million installed translator program includes a key that allows you to make in-app purchases and upgrade to the pro version without actually paying.
The lost device remote management program, which has 10 million installations, has a master password that makes it possible to unlock the lock set by the user in case the device is lost. A master password has been found in a notepad program that allows you to unlock secret notes. Many applications have also found debugging modes that allow access to low-level features, for example, in a shopping application, a proxy server was launched when a certain combination was entered, and in a tutorial there was the ability to bypass passing tests.
In addition to backdoors, 4028 (2.7%) applications revealed the presence of blacklists used to censor information received from the user. The applied black lists contain sets of words forbidden to be mentioned, including the names of political parties and politicians, typical phrases used to intimidate and discriminate against certain segments of the population. Blacklists were detected in 1.98% of the studied programs from Google Play, 4.46% from the alternative catalog and 3.87% from the list of pre-installed applications.
For the analysis, the InputScope toolkit created by the researchers was used, the code of which will be published in the near future. on GitHub (previously, researchers have already published a static analyzer , which automatically detects information leaks in applications).
Source: opennet.ru