Android barcode scanner with 10 million+ downloads infects users

A benign barcode scanner with greater than 10 million downloads from Google Play has been caught receiving an improve that turned it to the darkish aspect, prompting the search-and-advertising big to take away it.

Barcode Scanner, one in every of dozens of such apps obtainable within the official Google app repository, started its life as a legit providing. Then in late December, researchers with safety agency Malwarebytes started receiving messages from clients complaining that adverts had been opening out of nowhere on their default browser.

One replace is all it takes

Malwarebytes cell malware researcher Nathan Collier was at first puzzled. Not one of the clients had lately put in any apps, and all of the apps that they had already put in got here from Play, a market that regardless of its lengthy historical past of admitting malicious apps stays safer than most third-party websites. Finally, Collier recognized the wrongdoer because the Barcode Scanner. The researcher stated an replace delivered in December included code that was chargeable for the bombardment of adverts.

“It’s scary that with one replace an app can flip malicious whereas going underneath the radar of Google Play Shield,” Collier wrote. “It’s baffling to me that an app developer with a preferred app would flip it into malware. Was this the scheme all alongside, to have an app lie dormant, ready to strike after it reaches reputation?”

Collier stated that adware is commonly the results of third-party software program improvement kits, which builders use to monetize apps obtainable without cost. Some SDKs, unbeknownst to builders, find yourself pushing the bounds. As Collier was in a position to set up from the code itself and a digital certificates that digitally signed it, the malicious habits was the results of adjustments made by the developer.

The researcher wrote:

No, within the case of Barcode Scanner, malicious code had been added that was not in earlier variations of the app. Moreover, the added code used heavy obfuscation to keep away from detection. To confirm that is from the identical app developer, we confirmed it had been signed by the identical digital certificates as earlier clear variations. Due to its malign intent, we jumped previous our authentic detection class of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.

Google eliminated the app after Collier privately notified the corporate. Thus far, nonetheless, Google has but to make use of its Google Play Shield device to take away the app from gadgets that had it put in. Meaning customers must take away the app themselves.

Google representatives declined to say if the Shield characteristic did or didn’t take away the malicious barcode scanner. Ars additionally emailed the developer of the app to hunt remark for this publish however to this point hasn’t obtained a response.

Anybody who has a barcode scanner put in on an Android system ought to examine it to see if it’s the one Collier recognized. The MD5 hash digest is A922F91BAF324FA07B3C40846EBBFE30, and the bundle identify is com.qrcodescanner.barcodescanner.

The standard recommendation about Android apps applies right here. Individuals ought to set up the apps solely after they present true profit after which solely after studying person evaluations and permissions required. Individuals who haven’t used an put in app in additional than six months must also strongly contemplate eradicating it. Sadly, on this case, following this recommendation would fail to have protected many Barcode Scanner customers.

It’s additionally not a foul thought to make use of a malware scanner from a good firm. The Malwarebytes app gives app scanning without cost. Working it a few times a month is a good suggestion for a lot of customers.