A benign barcode scanner with greater than 10 million downloads from Google Play has been caught receiving an improve that turned it to the darkish facet, prompting the search-and-advertising big to take away it.
Barcode Scanner, certainly one of dozens of such apps accessible within the official Google app repository, started its life as a authentic providing. Then in late December, researchers with safety agency Malwarebytes started receiving messages from prospects complaining that adverts had been opening out of nowhere on their default browser.
One replace is all it takes
Malwarebytes cellular malware researcher Nathan Collier was at first puzzled. Not one of the prospects had just lately put in any apps, and all of the apps that they had already put in got here from Play, a market that regardless of its lengthy historical past of admitting malicious apps stays safer than most third-party websites. Ultimately, Collier recognized the wrongdoer because the Barcode Scanner. The researcher mentioned an replace delivered in December included code that was accountable for the bombardment of adverts.
“It’s scary that with one replace an app can flip malicious whereas going underneath the radar of Google Play Shield,” Collier wrote. “It’s baffling to me that an app developer with a well-liked app would flip it into malware. Was this the scheme all alongside, to have an app lie dormant, ready to strike after it reaches recognition?”
Collier mentioned that adware is commonly the results of third-party software program improvement kits, which builders use to monetize apps accessible without cost. Some SDKs, unbeknownst to builders, find yourself pushing the bounds. As Collier was in a position to set up from the code itself and a digital certificates that digitally signed it, the malicious habits was the results of modifications made by the developer.
The researcher wrote:
No, within the case of Barcode Scanner, malicious code had been added that was not in earlier variations of the app. Moreover, the added code used heavy obfuscation to keep away from detection. To confirm that is from the identical app developer, we confirmed it had been signed by the identical digital certificates as earlier clear variations. Due to its malign intent, we jumped previous our authentic detection class of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.
Google eliminated the app after Collier privately notified the corporate. To this point, nonetheless, Google has but to make use of its Google Play Shield software to take away the app from gadgets that had it put in. Meaning customers must take away the app themselves.
Google representatives declined to say if the Shield function did or didn’t take away the malicious barcode scanner. Ars additionally emailed the developer of the app to hunt remark for this submit however to this point hasn’t acquired a response.
Anybody who has a barcode scanner put in on an Android machine ought to examine it to see if it’s the one Collier recognized. The MD5 hash digest is A922F91BAF324FA07B3C40846EBBFE30, and the bundle title is com.qrcodescanner.barcodescanner.
The same old recommendation about Android apps applies right here. Individuals ought to set up the apps solely after they present true profit after which solely after studying consumer opinions and permissions required. Individuals who haven’t used an put in app in additional than six months also needs to strongly think about eradicating it. Sadly, on this case, following this recommendation would fail to have protected many Barcode Scanner customers.
It’s additionally not a foul concept to make use of a malware scanner from a good firm. The Malwarebytes app supplies app scanning without cost. Working it a few times a month is a good suggestion for a lot of customers.