Thousands of Android apps contain undocumented backdoors, study finds

What might some Android apps be quietly doing behind the backs of their users?

The answer, according to a succession of studies, is quite a lot, probably more than some users would be comfortable with if they knew about it.

This isn’t necessarily about outright malicious apps so much as legitimate apps taking liberties or installing with capabilities users wouldn’t expect to exist.

For example, in March researchers reported that some apps pay a lot of attention to other apps installed on a device, which in theory could be used to gather data on a user’s behaviour and inclinations.

But a recently published study from researchers at Ohio State University, New York University, and the Helmholtz Center for Information Security (CISPA) offers hard evidence that undocumented and hidden behaviours often extend far beyond mere nosy snooping.

Using a sophisticated static analysis tool called InputScope developed for the purpose, the team analysed the behaviour of 150,000 apps, comprising the 100,000 most popular on Google Play in April 2019, plus 30,000 apps pre-installed on Samsung devices, and 20,000 taken from the alternative Chinese market Baidu.

The study examined two issues – what proportion of apps exhibited secret behaviours and how these might be used or abused.

Of the 150,000, 12,706 exhibited a range of behaviours indicating the presence of backdoors (secret access keys, master passwords, and secret commands) plus another 4,028 that seemed to be checking user input against blacklisted words such as political leaders’ names, incidents in the news, and racial discrimination.

Looking at backdoors, both Google Play and apps from alternative app stores such as Baidu showed roughly the same percentage of apps falling into this category, 6.8% and 5.3% respectively.

Interestingly, for pre-installed ‘bloatware’ apps, the percentage showing this behaviour was double the other sources at around 16%.

This finding chimes with a public letter sent to Google CEO Sundar Pichai in January by Privacy International that criticised the way that pre-installed apps are often not scrutinised for privacy and security problems, creating a tempting workaround for surveillance.

As a separate 2019 Spanish study documented, the provenance of pre-installed apps is often shadowy, based on commercial tie-ups between phone makers that the end user would not be aware of.

The latest results would seem to confirm this, not only for behaviours that can be described as backdoors but for secret blacklisting.

That behaviour was uncovered in nearly 4.5% of apps from Baidu but also nearly 3.9% of pre-installed apps. The figure for Google apps was around 2%.

The important question is what dangers backdoor and blacklists access might result in, beyond the fact they sound like a bad thing.

The team took a closer look at 30 apps, picked at random from apps with more than a million installs, finding that one installed with the ability for someone to remotely log into its admin interface.

Others could reset user passwords, bypass payment interfaces, initiate hidden behaviours using secret commands, or just stop users from accessing specific, sometimes political content.

Backdoor is an emotive term that covers almost any secret, remote feature users don’t know about, some of which might be legitimate in some circumstances, for example remotely resetting a lost device. Others looked downright deceptive.

But even if some were legitimate, the fact they exist creates a potential security hazard should these interfaces become known about. It’s the simple reason why backdoors put there for programming convenience are never a good idea, period.

But perhaps the biggest consequence from the study is simply how many Google Play apps exhibit these behaviours. While the Play Store is large, the fact that several thousand apps have hidden backdoors hardly inspires confidence.

Worse, there is currently no easy way, short of the sort of weeks-long analysis carried out by the researchers using a dedicated tool, to know which apps operate in this way.

That’s not so much a backdoor as a blind spot, another problem Google’s sometimes chaotic Android platform could do without.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.