A barcode scanner app, with over 10 million downloads, was booted from the Google Play marketplace after users began to complain of mobile-ad overload. The makers of the app, called Barcode Scanner, intentionally altered the code of the app via an update turning it from a benign app to adware, according to researchers.
The rogue update to the app occurred in early December, according to researchers. That’s when the app, published by Lavabird, began to violate Google Play’s terms of service by surreptitiously delivering ads without consent.
Tipped by a user, researchers at Malwarebytes explained, the publisher added new heavily obfuscated code to the app that directed the default mobile web browser to launch and serve-up ads – whether the barcode app was active or not.
According to a report published Tuesday, the user who reported the issue installed the Barcode App years prior.
“Then all of sudden, after an update in December, Barcode Scanner had gone from an innocent scanner to full on malware!” the report written by Nathan Collier, a senior malware intelligence analyst with Malwarebytes said. “Although Google has already pulled this app, we predict from a cached Google Play webpage that the update occurred on Dec. 4, 2020.”
The most likely explanation for the errant ads would be faulty SDK code, which is commonly used in free, third-party apps to generate revenue. The report makes clear, the SDK code wasn’t the culprit in this instance.
Barcode Scanner Breach, From Adware to Trojan
“No, in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app,” the report said. “Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions.”
This alerted the team they were looking more than just everyday adware.
“Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.”
End users need to be aware that even trusted apps which have been reliable for years can be turned into malware, expert warn.
“When an application is installed, it typically asks the user for a list of permissions (e.g. access to files, SMS / call history), which are often approved without much cause for concern,” Or Sahar, an application security researcher with Checkmarx explained. “Given this, a malicious developer can upload to Google Play an un-harmful application, get rated, and later exploit the permissions without raising any obvious red flags.”
How Barcode Scanner Malware Made Money
And almost overnight the app publishers have a way to exploit those permissions for revenue.
“For example, if the Barcode Scanner app has permission to open a new Google Chrome pop-up,” Sahar said. “With this, a developer could potentially exploit the permission to show the desired ad, whether appropriate or not, in Chrome to increase exposure and clicks. Although the Barcode Scanner app was relatively ‘okay’ for a few years – showing ads according to Google’s policy – it could have gone down a bad path fueled by greed to earn more money.”
John Bohls, CEO of Inkscreen advises users to be suspicious of any apps offered for free.
“Building and maintaining apps is costly and time-consuming, even for relatively simple apps like a barcode scanner,” Bohls said. “I would be suspicious of any free app that does not have a clear monetization strategy such as advertisements, premium subscriptions, or tie-in to some other legitimate revenue model.”
For the millions of users still infected with the Barcode Scanner trojan, Malwarebytes recommends installing a malware scanner or just removing the app altogether.
“It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect,” the Malwarebytes report said. “It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity? I guess we will never know.”
Is your business an easy mark? Save your spot for “15 Cybersecurity Gaffes SMBs Make” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these easy mistakes, our experts will help you lock down your small- to mid-sized business like a Fortune 100. Register here for the Wed., Feb. 24 LIVE webinar.