A benevolent barcode scanner with more than 10 million downloads from Google Play was caught when it received an upgrade that turned it to the dark side, prompting the search and advertising giant to remove it.
Barcode Scanner, one of dozens of such apps available in the official Google app repository, started its life as a legitimate offering. In late December, researchers at security firm Malwarebytes began receiving messages from customers complaining that ads were appearing out of nowhere in their default browser.
An update is all that is needed
Malwarebytes mobile malware researcher Nathan Collier was initially surprised. None of the customers have recently installed any apps, and all the apps they have already installed come from Play, a market that despite the long history of allowing malicious apps remains safer than most third-party sites. Eventually, Collier identified the culprit as the barcode scanner. The researcher said an update released in December contained code that was responsible for bombing ads.
“It’s scary that a single update can get malicious while going under the radar of Google Play Protect,” Collier wrote. ‘It’s surprising to me that an app developer with a popular app can turn it into malware. Was it always the plan to launch an app and wait to strike after it became popular? ‘
Collier said adware is often the result of third-party software development kits, which developers use to make free money for programs available. Some SDKs, which developers do not know, eventually push the limits. Since Collier was able to determine from the code himself and a digital certificate that he digitally signed, the malicious behavior was the result of changes made by the developer.
The researcher wrote:
No, in the case of Barcode Scanner, malicious code was added that was not in previous versions of the app. Furthermore, the added code used heavy embezzlement to prevent detection. To verify that it comes from the same app developer, we confirmed that it was signed by the same digital certificate as previous clean versions. Due to malicious intent, we jumped over to our original Adware detection category, directly to Trojan, with Android / Trojan.HiddenAds.AdQR detection.
Google removed the app after Collier privately notified the company. So far, however, Google has not used its Google Play Protect tool to remove the app from devices on which it is installed. This means that users have to uninstall the app themselves.
Google representatives did not want to say whether or not the Protect feature removed the malicious barcode scanner. Ars has also sent an email to the app developer to comment on this post, but so far he has not received a reply.
Anyone who has installed a barcode scanner on an Android device should check it to see if it is the one that Collier identified. The MD5 hash digest is A922F91BAF324FA07B3C40846EBBFE30, and the package name is com.qrcodescanner.barcodescanner.
The usual advice on Android applications applies here. People should install the applications only if they offer real benefits, and then only after reading user reviews and permissions. People who have not used an installed app for more than six months should also strongly consider removing it. Unfortunately, many users of the barcode scanner in this case would not have the protection of this advice.
It is also not a bad idea to use a malware scanner from a reputable company. The Malwarebytes app provides app scanning for free. Running it once or twice a month is a good idea for many users.