Most apps on official app stores offer legitimate offerings. But some may eventually have a change of mind.
Researchers at security firm Malwarebytes found that a barcode scanner app with more than 10 million downloads on Google Play Store has been receiving an update that changed it from a good app to a bad app, prompting Google to remote the said app.
The app called 'Barcode Scanner' became a suspect after users started complaining that ads were opening out of nowhere on their default web browser.
Nathan Collier from Malwarebytes was suspicious, and this drove the investigation.
Since none of the users had recently installed any apps, and all the apps they had already downloaded and installed came from Google Play Store, Collier who started digging identified Barcode Scanner as the culprit.
The researcher said that Barcode Scanner had an update in December, which added code that was responsible for the bombardment of ads. In a blog post the researcher said that:
Initially, Collier suspicion was based on the fact that adware is often the result of third-party software development kits (SDKs).
Many developers use these SDKs to monetize their apps for free. Many of those SDKs have malicious intentions, and can end up pushing the limits by going rogue.
"When this happens, it is not the app developers’ doing, but the SDK company," explained Collier.
However, he added that "in the case of Barcode Scanner, this was not the case."
He said that:
After privately notifying Google about this case, the tech giant removed the app.
But unfortunately, Google has yet to use its Google Play Protect to remove the app from devices that had it installed. What this means, users of the Barcode Scanner app have to manually remove the app themselves.
It has long been suggested that Android users should always download apps from legitimate stores. And among them, Google Play Store is by far, the safest.
Lavabird Ltd.'s Barcode Scanner was an Android app that had been available on Google Play Store for years, offered users a QR code reader and a barcode generator.
As useful as it can be, its years of reputation plummets after one single update.
Apps like these can pass Google's eyes. This is why Collier suggested that people should installs apps "only when they provide true benefit and then only after reading user reviews and permissions required."
Adding that those who haven’t used an installed app in more than six months "should also strongly consider removing it."