A popular app was removed from Google Play after it was discovered to deliver trojanized malware to millions of users phones through an update.
Until recently, the Barcode Scanner was a simple application that provided users with a basic QR code reader and barcode generator, useful for things to like shopping and redeeming discounts. The application, which has existed since at least 2017, is owned by the developer Lavabird Ldt. And it claims to have more than 10 million downloads, the Wayback Machine shows.
However, a wave of malicious activity has recently been traced back to the app. Users began to notice something strange happening with their phones: their standard browsers continued to be hijacked and redirected to random ads, seemingly out of nowhere. It was not clear to many people what was causing the disruptions – since many had not downloaded any apps recently. After several angry victims wrote about their experiences on a web forum, a user finally pointed a finger at Barcode.
Researchers with Malwarebytes have found that the scanner is to blame, releasing a new report that shows it delivered ad-producing malware to users’ phones, probably through a December update. The update spoiled the previously benign application – taking it from “an innocent scanner to complete malware,” write the researchers.
G / O Media can receive a commission
Researchers distinguish Barcode ad-sending malware from basic malwared SDKs – programs used by publishers to launch in-app advertising for monetization purposes, claiming that “that was not the case” with Barcode Scanner. Those who injected the malicious code used heavy obfuscation to hide the fact that it was there, the researchers say, adding that the app appears to have been intentionally transformed from a normal app into a malicious one through the update. They write:
It is scary that, with an update, an application can become malicious while passing Google Play Protect radar. It is disconcerting to me that an application developer with a popular application turns it into malware. Was that the scheme all the time, having an app asleep, waiting to attack after it reached popularity? I don’t think we’ll ever know.
Although Google removed the Barcode Scanner from its app store, has not disappeared from the affected devices. Users of the application will still have to manually uninstall it from their phones.
The owner of Barcode Scanner, Lavabird Ltd., was incorporated in 2020 and is registered at an address in London, according to available online records. The company’s director, Dmytro Kizema, resides in Ukraine.
Gizmodo has contacted Lavabird and will update if we have a response.