A benign barcode reader with more than 10 million downloads from Google Play was caught receiving an update that took him to the dark side, prompting the search and advertising giant to remove him.
Barcode Scanner, one of dozens of apps available on the official Google app repository, started its life as a legitimate offer. Then, in late December, researchers at security firm Malwarebytes started receiving messages from customers complaining that ads were being opened out of the blue on their default browser.
Just an update
Malwarebytes mobile malware researcher Nathan Collier was intrigued at first. None of the customers have installed any apps recently, and all of the apps they’ve installed came from Play, a market that, despite its long history of admitting malicious apps, remains more secure than most third-party sites. Eventually, Collier identified the culprit as the Barcode Scanner. The researcher said that an update delivered in December included code that was responsible for bombarding ads.
“It is scary that, with an update, an application can become malicious while passing Google Play Protect radar,” Collier wrote. “It is disconcerting to me that an application developer with a popular application turns it into malware. Was that the scheme all the time, having an application asleep, waiting to attack after it reached popularity? “
Collier said that adware is often the result of third-party software development kits, which developers use to monetize freely available applications. Some SDKs, without the developers’ knowledge, end up exceeding the limits. As Collier was able to establish from the code itself and from a digital certificate that signed it digitally, the malicious behavior was the result of changes made by the developer.
The researcher wrote:
No, in the case of Barcode Scanner, malicious code was added that was not in previous versions of the application. In addition, the added code used heavy obfuscation to avoid detection. To verify that it is from the same application developer, we confirm that it was signed by the same digital certificate as the previous clean versions. Because of its malicious intent, we skipped our original category of Adware detection straight into the Trojan, with the detection of Android / Trojan.HiddenAds.AdQR.
Google removed the application after Collier notified the particular company. So far, however, Google has not yet used its Google Play Protect tool to remove the app from devices that had it installed. This means that users themselves will have to remove the application.
Google representatives declined to say whether or not the Protect feature removed the malicious barcode scanner. Ars also sent an email to the app’s developer to request a comment for this post, but so far has not received a response.
Anyone who has a barcode reader installed on an Android device should inspect it to see if the Collier is identified. The MD5 hash digest is A922F91BAF324FA07B3C40846EBBFE30, and the package name is com.qrcodescanner.barcodescanner.
The usual advice about Android apps applies here. People should install the applications only when they provide real benefits and only after reading the user reviews and the necessary permissions. People who have not used an application installed for more than six months should also consider removing it. Unfortunately, in this case, following this advice would not protect many Barcode Scanner users.
It is also not a bad idea to use a malware scanner from a trusted company. The Malwarebytes application provides scanning applications for free. Running it once or twice a month is a good idea for many users.