Malwarebytes researchers have discovered that a popular barcode scanning app installed malware on tens of millions of Android devices.
With a single update, Lavabird Ltd.’s barcode scanner transformed itself. Into a Trojan horse. Barcode Scanner is an Android app that has been available in Google’s official app repository for years. The app has over 10 million installs and offers a QR code reader and barcode generator. The mobile application appeared to be legit, trustworthy software as many users had installed the app years ago with no issues – until recently.
According to Malwarebyte s, users have complained about unexpected ads appearing on their Android devices since December 2020. It is often the case that unwanted programs, ads, and malvertising are associated with new app installs, but in this case, users reported that they had nothing installed recently.
During the investigation, the researchers were able to identify the Barcode Scanner app as the culprit. A software update released around December 4th, 2020, changed the app’s functionality to serve ads without warning. While many developers include ads in their software to offer free versions—and paid apps don’t show ads—the overnight shift of apps from valuable resources to adware has become increasingly common in recent years.
“Advertising software development kits (SDKs) can come from various third parties and represent a revenue stream for the app developer. It’s a win-win situation for everyone,” Malwarebytes said. “Users get a free app, while app developers and Ad SDK developers get paid. But every once in a while, an ad SDK company can change something on their end, and the ads can get aggressive.”
Sometimes aggressive advertising practices can be the fault of third-party SDKs – but that wasn’t the case for barcode scanners. Instead, the researchers say malicious code was injected with the December update and was heavily hidden to avoid detection.
The update was also signed with the same security certificate used in previous clean versions of the Android application. Malwarebytes reported its findings to Google, and the tech giant has now removed the app from Google Play. However, this does not mean that the app will disappear from the affected devices. Therefore, users must manually uninstall the now malicious app.
Malwarebytes’ Nathan Collier concludes: “It’s hard to say how long Barcode Scanner was on the Google Play Store as a legitimate app before it became malicious. We suspect the app has been there for years based on the high number of installs and user feedback. It’s terrifying that an app can become malicious with an update while slipping under Google Play Protect’s radar. It baffles me that an app developer with a popular app would turn it into malware. Was that the plan to let an app lie dormant and wait for it to strike once it became popular? I guess we’ll never know.”
Converting clean SDKs into malicious packages is just one method to bypass Google Play’s protection. Time checks, long display times, compromise of open source libraries used by an app, and dynamic loading are also potential ways for attackers to compromise your mobile device.
Another exciting technique discovered by Trend Micro is the implementation of a motion sensor check. In 2019, Android utility apps were found to contain the Anubis banking Trojan, which only unfolds when a user moves their device.