A new survey claims that thousands of Android apps can come with input-triggered secrets, such as blacklists of backdoor and unwanted items. Total 150,000 apps have been analyzed using a newly developed tool called InputScope. Of these, 12,706 applications were found behind the door, and more than 4,028 applications appear to be checking for blacklisted words.

150,000 apps, 100,000 apps were from Google Play Store and 30,000 apps were pre-installed on Samsung phones.

Thousands of Android and Samsung Pre-Installed Apps Come With Hidden Backdoors

The new study comes from researchers at Ohio State University, New York University, and the Helmholtz Center for Information Security (CISPA). 

These researchers analyzed these 150,000 apps using an analysis tool called InputScope. This tool helped automatically identify both the contextualization of user input validation and the content associated with the validation to automatically reveal the hidden functionality.

The app pool includes Android apps from the Google Play Store, pre-installed apps from Samsung phones and 20,000 apps from the Chinese market Baidu.

The test uncovered 12,706 mobile apps with backdoor secrets and 4,028 mobile apps with blacklist privacy. Unauthorized backdoors include secret access keys, master passwords, and secret privileged commands, and a blacklist of unwanted items includes censorship keywords, cyber-bullying expressions, and weak passwords.

Pre-installed applications have been shown to show unethical behavior compared to other applications. The percentage of unauthorized backdoor instances in pre-installed applications was about 16 percent, while Google Play Store applications were 6.8 percent. Baidu apps were 5.3 percent – the lowest amount. For blacklisting, 4.5 percent of the apps were from Baidu, 3.9 percent were from pre-installed applications, and 2 percent were from Google.

These secret backdoor and blacklists contained in the apps allow remote login, reset user passwords, stop users from accessing content and bypass hackers’ payment interfaces. All of these exist without any user knowledge and stand as an even bigger threat to the chaotic Android ecosystem.