How A Single Update To A Barcode Scanner Made The Android App A Malware

Barcode scanning mobile

Most apps on official app stores offer legitimate offerings. But some may eventually have a change of mind.

Researchers at security firm Malwarebytes found that a barcode scanner app with more than 10 million downloads on Google Play Store has been receiving an update that changed it from a good app to a bad app, prompting Google to remote the said app.

The app called 'Barcode Scanner' became a suspect after users started complaining that ads were opening out of nowhere on their default web browser.

Nathan Collier from Malwarebytes was suspicious, and this drove the investigation.

Since none of the users had recently installed any apps, and all the apps they had already downloaded and installed came from Google Play Store, Collier who started digging identified Barcode Scanner as the culprit.

The researcher said that Barcode Scanner had an update in December, which added code that was responsible for the bombardment of ads. In a blog post the researcher said that:

"It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect. It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity? I guess we will never know."

Initially, Collier suspicion was based on the fact that adware is often the result of third-party software development kits (SDKs).

Many developers use these SDKs to monetize their apps for free. Many of those SDKs have malicious intentions, and can end up pushing the limits by going rogue.

"When this happens, it is not the app developers’ doing, but the SDK company," explained Collier.

However, he added that "in the case of Barcode Scanner, this was not the case."

He said that:

"No, in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions. Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR."

After privately notifying Google about this case, the tech giant removed the app.

But unfortunately, Google has yet to use its Google Play Protect to remove the app from devices that had it installed. What this means, users of the Barcode Scanner app have to manually remove the app themselves.

It has long been suggested that Android users should always download apps from legitimate stores. And among them, Google Play Store is by far, the safest.

Lavabird Ltd.'s Barcode Scanner was an Android app that had been available on Google Play Store for years, offered users a QR code reader and a barcode generator.

As useful as it can be, its years of reputation plummets after one single update.

Apps like these can pass Google's eyes. This is why Collier suggested that people should installs apps "only when they provide true benefit and then only after reading user reviews and permissions required."

Adding that those who haven’t used an installed app in more than six months "should also strongly consider removing it."