A benign barcode The scanner with over 10 million downloads from Google Play was caught receiving an update that turned it to the dark side, prompting the search and advertising giant to remove it.
Barcode scanner, one of the dozens of such apps available in the official Google app repository, started life as a legitimate offering. Then, in late December, researchers at security firm Malwarebytes began receiving messages from customers complaining that ads were popping up out of nowhere in their default browsers.
Malwarebytes mobile malware researcher Nathan Collier was puzzled at first. None of the customers had recently installed any apps, and all of the apps they had already installed came from Play, a market which, despite its long history of admitting malicious apps, remains safer than most sites. third. Eventually, Collier identified the culprit as the barcode reader. The researcher said that an update delivered in December included code responsible for the ad bombardment.
“It’s scary that with an update an app could become malicious while still going under the radar of Google Play Protect,” Collier wrote. “It’s puzzling to me that an app developer with a popular app turns it into malware. Was it the ploy from the start, for an app to be idle, waiting to strike after it reached popularity?
Collier said adware is often the result of third-party software development kits, which developers use to monetize apps that are available for free. Some SDKs, unbeknownst to the developers, end up pushing the limits. As Collier was able to establish from the code itself and a digital certificate that digitally signed it, the malicious behavior was the result of changes made by the developer.
The researcher wrote:
Google deleted the app after Collier informed the company privately. So far, however, Google has yet to use its Google Play Protect tool to remove the app from the devices it was installed on. This means that users will have to delete the app themselves.
Google officials declined to comment on whether or not the protection feature removed the malicious barcode reader. Ars has also emailed the app developer requesting comment on this post, but has so far not received a response.
Anyone who has a barcode scanner installed on an Android device should inspect it to see if it is the one identified by Collier. The MD5 hash digest is A922F91BAF324FA07B3C40846EBBFE30 and the package name is com.qrcodescanner.barcodescanner. The malicious barcode reader should not be confused with the one here or other applications with the same name.
The usual advice on Android apps applies here. Users should only install apps when they provide a real benefit, and then only after reading user reviews and required permissions. People who haven’t used an installed app for over six months should also strongly consider removing it. Unfortunately, in this case, following this advice would not have helped protect many Barcode Scanner users.
It is also not a bad idea to use a malware scanner from a reputable company. The Malwarebytes application provides free app analysis. Running it once or twice a month is a good idea for many users.
This story originally appeared on Ars Technica.
More WIRED stories