A benign barcode scanner with over 10 million downloads from Google Play has been caught receiving an upgrade that took it to the dark side, forcing the search and advertising giant to remove it.
Barcode Scanner, one of dozens of such apps available in Google’s official app repository, started life as a legit offering. In late December, researchers at security firm Malwarebytes began receiving messages from customers complaining that ads were opening out of nowhere in their default browsers.
One update is enough
Malwarebytes mobile malware researcher Nathan Collier was initially surprised. None of the customers had installed any apps recently, and all the apps they already installed came from Play, a market that, despite its long history of allowing malicious apps, is more secure than most third-party sites. Ultimately, Collier identified the culprit as the barcode scanner. The researcher said an update delivered in December contained code responsible for the ad bombardment.
“It’s frightening that an app with one update can go malicious while going under the radar of Google Play Protect,” Collier wrote. “I find it baffling that an app developer with a popular app would turn it into malware. Was this the plan all along to let an app snooze, waiting to strike after it becomes popular?”
Collier said that adware is often the result of third-party software development kits, which developers use to monetize freely available apps. Some SDKs, unbeknownst to developers, are pushing the boundaries. Because Collier could determine the code itself and a digital certificate that digitally signed it, the malicious behavior was the result of changes made by the developer.
The researcher wrote:
No, in the case of Barcode Scanner, malicious code was added that was not included in previous versions of the app. In addition, the added code used heavy obfuscation to avoid detection. To verify that this is from the same app developer, we confirmed that it is signed with the same digital certificate as previous clean versions. Due to malicious intent, we jumped past our original adware detection category directly to Trojan, detecting Android/Trojan.HiddenAds.AdQR.
Google removed the app after Collier notified the company privately. So far, however, Google has yet to use its Google Play Protect tool to remove the app from devices it was installed on. That means users have to uninstall the app themselves.
Google representatives declined to say whether or not the Protect feature removed the malicious barcode scanner. Ars also emailed the app’s developer requesting comments on this post, but has not received a response so far.
Anyone who has installed a barcode scanner on an Android device should inspect it to see if it is the one that identified Collier. The hash digest of MD5 is A922F91BAF324FA07B3C40846EBBFE30 and the package name is com.qrcodescanner.barcodescanner. The malicious barcode scanner should not be confused with the one here or other apps of the same name.
The usual advice about Android apps applies here. People should install the apps only if they provide real benefit and then only after reading user reviews and required permissions. People who have not used an installed app for more than six months should also strongly consider uninstalling it. Unfortunately, following this advice in this case would not have protected many Barcode Scanner users.
It’s also not a bad idea to use a malware scanner from a reputable company. The Malwarebytes app offers free app scanning. Running it once or twice a month is a good idea for many users.