Android app security: Over 12,000 popular Android apps contain undocumented backdoors

Many Android apps contain hidden secrets

When many people think about malware and other malicious or suspicious software, they focus on computers. It is common best practice to have an antivirus program installed and regularly running on these machines.

Smartphones are rapidly becoming the most common and popular device for computation and Internet access. An “always connected” culture means that many people are constantly checking their devices and have entrusted them with access to their online accounts and sensitive data via installed applications.

The growing popularity of smartphones and other mobile devices has made them a focus of cybercriminals as well. About 24,000 malicious mobile apps are blocked every day. However, a recent study of popular Android apps revealed that many of the most-used apps have hidden secrets.

The Android app security study focused on two different types of backdoors:

  • Authentication bypasses: Authentication bypass backdoors are designed to allow someone to gain access to the app while bypassing the app’s access control mechanism. The report further broke these authentication bypasses down into secret access keys, master passwords and secret privileged commands.
  • Hidden blocklists: Blocklists are designed to filter user input to deny undesirable input. If the contents of these blocklists are not made clear to the user (i.e., “invalid characters” rather than denying !@#), they are considered to be hidden.

Study results

The study of Android app security contained a dataset of 150,000 popular Android apps. These are broken down as follows:

  • The top 100,000 most-downloaded apps from the Google Play Store
  • The top 20,000 most-downloaded apps from alternative app stores
  • 30,000 pre-installed apps extracted from the firmware of Samsung devices

The image above shows the findings of the research. Over 11% of the applications studied contained either authentication bypasses or hidden blocklists. A few other important takeaways (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/Zbml4mWBzOY/