https://blog.malwarebytes.com/android/2021/02/barcode-scanner-app-on-google-play-infects-10-million-users-with-one-update/ FREE DOWNLOAD The official Malwarebytes logo in a blue font [malwarebyt] We research. You level up. * FREE DOWNLOAD ----------------------------------------------------------------- * For Home + Malwarebytes for Windows + Malwarebytes for Mac + Malwarebytes for Android + Malwarebytes for iOS + Malwarebytes for Chromebook + Malwarebytes Privacy + Malwarebytes Browser Guard + View all + PRICING ----------------------------------------------------------------- * For Business + Products & Services + Malwarebytes Nebula + Malwarebytes Endpoint Protection + Malwarebytes Endpoint Protection for Servers + Malwarebytes Endpoint Detection and Response + Malwarebytes Endpoint Detection and Response for Servers + Malwarebytes Incident Response + Malwarebytes Remediation for CrowdStrike + Malwarebytes for Teams + Malwarebytes Malware Removal Service + Solutions + Automate Enterprise Resilience + Empower Modern Endpoints + Secure Small Business Growth + Data Privacy & GDPR View all + Industries + Education + Finance + Healthcare View all CONTACT US | PRICING OVERVIEW + +Products & Services o Malwarebytes Nebula o Malwarebytes Endpoint Protection o Malwarebytes Endpoint Protection for Servers o Malwarebytes Endpoint Detection and Response o Malwarebytes Endpoint Detection and Response for Servers o Malwarebytes Incident Response o Malwarebytes Remediation for CrowdStrike o Malwarebytes for Teams o Malwarebytes Malware Removal Service o View all + +Solutions o Automate Enterprise Resilience o Empower Modern Endpoints o Secure Small Business Growth o Data Privacy & GDPR o View all + +Industries o Education o Finance o Healthcare + CONTACT US + PRICING + OVERVIEW ----------------------------------------------------------------- * Pricing ----------------------------------------------------------------- * Partners + Solution Providers + Managed Service Providers + Computer Repair + Technology Partnerships + EXPLORE PARTNERSHIPS ----------------------------------------------------------------- * Resources + Labs + Blog + Threat Center + Scams + MBTV + Contributors + Glossary + Learn + Malware + Ransomware + Spyware + Antivirus + Hacking + Emotet + Assets + Case Studies + Analyst Reports + Webinars + Infographics View all View all + +Labs o Blog o Threat Center o Scams o MBTV o Contributors o Glossary + +Learn o Malware o Ransomware o Spyware o Antivirus o Hacking o Emotet o View all + +Assets o Case Studies o Analyst Reports o Webinars o Infographics o View all ----------------------------------------------------------------- * Support + Technical Support + Training For Home Products + Training For Business Products + Premium Services and Support ----------------------------------------------------------------- * Company + News & Press + About Us + Careers + Contact Us ----------------------------------------------------------------- * Sign in + My Account + Cloud Console [ ] Magnifying glass SUBSCRIBE Barcode Scanner app on Google Play infects 10 million users with one update Android Barcode Scanner app on Google Play infects 10 million users with one update Posted: February 5, 2021 by Nathan Collier Last updated: February 8, 2021 In a single update, a popular barcode scanner app that had been on Google Play for years turned into malware. Late last December we started getting a distress call from our forum patrons. Patrons were experiencing ads that were opening via their default browser out of nowhere. The odd part is none of them had recently installed any apps, and the apps they had installed came from the Google Play store. Then one patron, who goes by username Anon00, discovered that it was coming from a long-time installed app, Barcode Scanner. An app that has 10,000,000+ installs from Google Play! We quickly added the detection, and Google quickly removed the app from its store. Simple scanner turns evil Many of the patrons had the app installed on their mobile devices for long periods of time (one user had it installed for several years). Then all of sudden, after an update in December, Barcode Scanner had gone from an innocent scanner to full on malware! Although Google has already pulled this app, we predict from a cached Google Play webpage that the update occurred on December 4^th, 2020. * [appstore1--338x600] * [appstore2-338x600] Malicious intent The majority of free apps on Google Play include some kind of in-app advertizing. They do this by including an ad SDK to the code of the app. Usually at the end of the app's development. Paid-for versions simply do not have this SDK included. Ad SDKs can come from various third-party companies and provide a source of revenue for the app developer. It's a win-win situation for everyone. Users get a free app, while the app developers and the ad SDK developers get paid. But every once in a while, an ad SDK company can change something on their end and ads can start getting a bit aggressive. Sometimes even landing the apps that use it in the Adware category. When this happens, it is not the app developers' doing, but the SDK company. I explain this method to say that in the case of Barcode Scanner, this was not the case. No, in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions. Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/ Trojan.HiddenAds.AdQR. Bad behavior The toughest part of malware analysis can be replicating what our users are experiencing. That wasn't a problem with Barcode Scanner, it went into action within minutes of install. Watch the short video below to see its malicious behavior: Removed from Play, but not from mobile device Removing an app from the Google Play store does not necessarily mean it will be removed from affected mobile devices. Unless Google Play Protect removes it after the fact, it remains on the device. This is exactly what users are experiencing with Barcode Scanner. Thus, until they install a malware scanner like Malwarebytes for Android, or manually remove the app, it will continue to display ads. Lying dormant It is hard to tell just how long Barcode Scanner had been in the Google Play store as a legitimate app before it became malicious. Based on the high number of installs and user feedback, we suspect it had been there for years. It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect. It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity? I guess we will never know. Update February 8, 2021 Per user request, we like to provide the Google Play link to the exact Barcode Scanner in question: https://play.google.com/store/apps /details?id=com.qrcodescanner.barcodescanner We apologize that this was not originally provided. We usually do not provide Google Play links that no longer exist. However, because there are so many other legitimate barcode and QR scanners on Google Play, we understand how this information can help eliminate confusion. In addition, the exact publisher is LavaBird LTD, as shown in the Google Play screenshot. We would also like to further point out that the behavior of the malware is opening the default web browser by itself, without user interaction. This is different from web redirects that occur while actively browsing the web. We hope this clears up any confusion. App Information Publisher: LavaBird LTD App Name: Barcode Scanner MD5: A922F91BAF324FA07B3C40846EBBFE30 Package Name: com.qrcodescanner.barcodescanner Google Play URL: https://play.google.com/store/apps/details?id= com.qrcodescanner.barcodescanner SHARE THIS ARTICLE --------------------------------------------------------------------- COMMENTS --------------------------------------------------------------------- RELATED ARTICLES A week in security (July 20 - 26) A week in security A week in security (July 20 - 26) July 27, 2020 - A roundup of cybersecurity news from July 20 - 26, including Deepfakes, Bluetooth technology, and APT groups. CONTINUE READINGNo Comments A week in security (July 6 - 12) A week in security A week in security (July 6 - 12) July 13, 2020 - A roundup of cybersecurity news from July 6 - 12, including a look at pre-installed malware on some Android phones, and a Mac malware mystery. CONTINUE READINGNo Comments A week in security (April 13 - 19) A week in security A week in security (April 13 - 19) April 20, 2020 - A roundup of the previous week's security news, including phishing scams, coronavirus scams, Apple scams, and more. CONTINUE READINGNo Comments Lock and Code S1Ep4: coronavirus and responding to computer viruses with Akshay Bhargava Podcast Lock and Code S1Ep4: coronavirus and responding to computer viruses with Akshay Bhargava April 13, 2020 - We cover the week's security headlines plus talk with Malwarebytes CPO Akshay Bhargava about the similarities in responding to computer viruses vs. real-life pandemics in episode 4 of Lock and Code. CONTINUE READINGNo Comments Android Trojan xHelper uses persistent re-infection tactics: here's how to remove Android Android Trojan xHelper uses persistent re-infection tactics: here's how to remove February 12, 2020 - A new variant of the Android Trojan xHelper re-infects just hours after removal--and with the help of Google PLAY?! A forum user helps us investigate. CONTINUE READINGNo Comments --------------------------------------------------------------------- ABOUT THE AUTHOR [bb0533ceb220] Nathan Collier Senior Malware Intelligence Analyst Full time mobile malware researcher, part time endurance athlete and world traveler. As nerdy about traveling as he is about mobile malware. Silouette of person Contributors Malware Threat Center Book with bookmark Glossary Suspicious person Scams Pencil Write for Labs Company About Us Careers Partners News & Press Wallpapers My Account Help Support Forums Release history Lifecycle policy User Guides Resources Buy For Home For Business For Mobile For Technicians Promotions Student Discount Learn View all Headquarters Malwarebytes 3979 Freedom Circle, 12th Floor Santa Clara, CA 95054 Local office Malwarebytes 15 Scotts Road, #04-08 Singapore 228218 Local office Malwarebytes 119 Willoughby Road, Crows Nest NSW 2065, Australia Follow us * Legal * Privacy * Accessibility * Terms of Service * (c) 20182018 Malwarebytes Language English Select your language Cybersecurity basics Your intro to everything relating to cyberthreats, and how to stop them.