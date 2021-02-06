



With a single update, the popular barcode scanner app that has been used on Google Play for years has been turned into malware.

In late December of last year, a patron of the forum began to make painful calls. Regular customers were experiencing ads that opened out of nowhere through their default browser. The strange part is that no one has recently installed the app and the app installed is the Google Play store. Later, one patron accessing under the username Anon00 discovered that it was from the long-installed app Barcode Scanner. It is an application that has been installed more than 10 million times from Google Play. Immediately added the detection function. Google immediately removed the app from the store.

A simple scanner turns into evil

Many patrons have long-term installations of apps on their mobile devices (one user has installed them for several years). Then suddenly, after the December update, the barcode scanner was flooded with malware from harmless scanners! Google has already pulled this app, but from the cached Google Play web page, we predict that the update took place on December 4, 2020.

Malicious

Most of the free apps on Google Play contain some kind of in-app advertising. This is achieved by including the advertising SDK in your app’s code. Usually at the end of app development. The paid version does not include this SDK.

Advertising SDKs come from a variety of third-party companies and provide a source of revenue for app developers. This is a situation that benefits both sides for everyone. Users get free apps, and app developers and advertising SDK developers are charged.

But from time to time, advertising SDK companies can change something on their part and the ads can start to become a bit aggressive. It may even land apps that use it in the adware category. If this happens, the app developer won’t do it. , But the SDK company. I explain this method and say it wasn’t the case with barcode scanners.

No, barcode scanners have added malicious code that wasn’t in previous versions of the app. In addition, the added code used significant obfuscation to avoid detection. It is signed with the same digital certificate as the previous clean version to make sure it is from the same app developer. Due to its malicious intent, Android / Trojan.HiddenAds.AdQR detection jumped the original detection category of adware directly to the Trojan.

Bad behavior

The hardest part of malware analysis is replicating what the user is experiencing. This was not a barcode scanner issue and it ran within minutes of installation. Watch the short video below to see its malicious behavior.

Removed from Play but not from mobile device

Removing an app from the Google Play Store does not necessarily remove it from the affected mobile device. The app will remain on your device unless Google Play Protect removes the app after the fact. This is exactly what users are experiencing with Barcode Scanner. Your ads will continue to appear until they install a malware scanner like Malwarebytes for Android or manually remove the app.

Dormant

It’s difficult to know exactly how long a barcode scanner has been in the Google Play store as a malicious app. Barcode scanners have been around for years, given the number of installations and the amount of user feedback. It’s scary that a single update can turn an app under the supervision of Google Play Protect into a malicious one. It’s confusing to me that an app developer who has a popular app turns it into malware. Was this a scheme for waiting for a strike and hibernating after the app became popular? I don’t think we know.

App information

App name: Barcode scanner

MD5: A922F91BAF324FA07B3C40846EBBFE30

Package name: com.qrcodescanner.barcodescanner

