This isn’t necessarily malicious but is something that should be in the apps’ threat model and picked up in testing before release. If I cast my mind back to the first few apps I ever developed (back in the 80’s) I remember “Ctrl+Shift+F12” was my go-to shortcut for getting an admin prompt whilst developing. I think I remembered to disable this when putting into production, but there are probably some versions of my code out there which can still be got at with the right key combo. I also remember a mainframe Star Trek game we used to play where you could get infinite photon torpedoes and travel at Warp 12 (go back in time) if you got the key combo correct…:
[…] Secret keys can be used to access the administrator interface of an app, and allow users to change its configuration. For example, if a successful login is made, a bad actor could alter network IDs, configuration URLs, and reset arbitrary user passwords.
To show the vulnerability of passwords, the researchers analyzed popular screen-locking apps. They noted that an attacker “can simply trigger a hidden button after multiple trials with a wrong password.” The hidden interface that appears requests the input of a special code. “Then, attackers can click the hidden button to get a new interface where a special code is requested. By providing this code, the password for unlocking the screen can be reset.”