Quote:A comprehensive academic study published this week has discovered hidden backdoor-like behavior -- such as secret access keys, master passwords, and secret commands -- in more than 12,700 Android applications.
 
To discover this hidden behavior, academics from Europe and the US developed a custom tool named InputScope, which they used to analyze input form fields found inside more than 150,000 Android applications.
 
More precisely, academics analyzed the top 100,000 Play Store apps (based by their number of installations), the top 20,000 apps hosted on third-party app stores, and more than 30,000 apps that came pre-installed on Samsung handsets.
 
"Our evaluation uncovered a concerning situation," the research team said. "We identified 12,706 apps containing a variety of backdoors such as secret access keys, master passwords, and secret commands."
Researchers say these hidden backdoor mechanisms could allow attackers to gain unauthorized access to users' accounts. Further, if the attacker has physical access to a device and one of these apps was installed, it could also grant attackers access to a phone or allow them to run code on the device with elevated privileges (due to the hidden secret commands present in the app's input fields).

Quote:Here’s a real world example we were able to find. If you tap 13 times on the version number, you get a password prompt. Enter in the Konami Code, and you get a hidden debug menu!
pic.twitter.com/ixOuz6vmib — Brendan Dolan-Gavitt (@moyix) March 31, 2020

Additional details about the research are available in a scientific paper entitled "Automatic Uncovering of Hidden Behaviors FromInput Validation in Mobile Apps," published by researchers from Ohio State University, New York University, and the CISPA Helmholtz Center for Information Security from Germany.