Sometimes developers may unintentionally leave backdoors or additional functionalities in mobile apps that aren't apparent to end users via the interface. These products may get released into the production environment with a feature not intended to be made available, creating security risks.
These weaknesses can typically be exploited by hackers from their systems directly without requiring any participation from regular users. They may examine configuration files, analyze the binary, etc. to discover functionalities in the back-end system that cybercriminals can leverage to perform an attack.