Call it the case of a good app gone bad!
For some time, a handy PDF creator and optical character recognition (OCR) app available via Google Play offered users utility and convenience. The app, downloaded more than 100 million times, is called CamScanner and allows Android phone owners to snap a picture of a page of text, turn it into a PDF and even use OCR to turn the document into editable text.
But what started out as a great app turned into something unsavory, according to researchers at Kaspersky. They report that CamScanner originally had no malicious intent. However, at some unspecified time, the publisher of the app went rogue.
Kasperky researchers said a review of a previous version of the app revealed an advertising library containing a malicious module. That module contained dropper malware called Trojan-Dropper.AndroidOS.Necro.n. That dropper “extracts and runs another malicious module from an encrypted file included in the app’s resources,” according to a report on the malware published on Tuesday.
“When the app is run, dropper decrypts and executes the malicious code contained in the mutter.zip file in the app resources,” wrote Kaspersky. “Next, the configuration file with the name ‘comparison’ is decrypted. Once we decrypt it, we obtain… configuration(s) with the addresses of the attackers’ servers. Dropper downloads an additional module from the URLs. It then executes its code.”
Further analysis revealed that the dropper downloads additional malicious modules based on the whims of those behind the app. Some observed unwanted behavior includes the app signing unsuspecting users up for paid subscription services without their consent. Another unwanted feature are “intrusive ads” pelting user screens.
Researchers suspect the makers of the app may have partnered with an unscrupulous third-party advertiser who may be responsible for the malicious behavior.
“Previously, a similar module was often found in preinstalled malware on Chinese-made smartphones. It can be assumed that the reason why this malware was added was the app developers’ partnership with an unscrupulous advertiser,” Kaspersky said.
Kaspersky also reports the latest version of the app has been updated and does not include the malicious component. “Keep in mind, though, that versions of the app vary for different devices, and some of them may still contain malicious code,” researchers wrote.
It’s unclear if the existing user base of CamScanner users will be automatically updated to a version free of malicious code.
CamScanner reviews posted to Google Play reveal many satisfied customers, however it is hard to ignore lengthy tirades by customers who felt tricked into spending money on faxing services that never worked.
“I used to like this app, but now I feel like I was tricked. Not cool guys,” wrote one user who goes by the handle “JM.”
According to the report, Kaspersky notified Google of the malicious ad component (Trojan-Dropper.AndroidOS.Necro.n) and Google promptly removed it.
Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.