A recently published study from researchers at Ohio State University, New York University and the Helmholtz Center for Information Security offers hard evidence that thousands of Android apps are taking liberties with users’ devices by equipping them with backdoor functions such as creating secret access keys, master passwords and secret commands.
By leveraging InputScope, a sophisticated static analysis tool, the research team analyzed the behavior of 150,000 apps, studying what portion exhibited backdoor behaviors. Apps included the 100,000 most popular on Google Play in April 2019, 30,000 apps that come installed on Samsung devices and 20,000 from the Chinese market Baidu.
Of the 150,000 apps included in the study, 12,706 exhibited a range of backdoor behaviors. Another 4,028 appeared to check user input against blacklisted words such as racial discrimination, incidents in the news and even the names of political leaders. Of those tested, 6.8% of Google Play apps and 5.3% of apps from alternative sources displayed backdoor actions. Interestingly enough, the study showed that a whopping 16% of pre-installed apps also exhibit backdoor behaviors.
This study’s findings coincide with a public letter sent to Google CEO Sundar Pichai by Privacy International. Released in January, the letter urged Google to act against pre-installed apps on Android devices, criticizing the company for its lack of scrutiny when it comes to privacy and security problems.
As stated in the letter, “These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model. This means permissions can be defined by the app - including access to the microphone, camera, and location - without triggering the standard Android security prompts.”
The letter continues, noting that Android users should be able to permanently uninstall these apps, thereby disabling backdoor functions.
An important question now remains. How does Google plan to address these potentially nefarious backdoors? While there is no easy way to solve this problem, it is certainly one the Android platform could do without.
