An app with more than 10 million downloads from the Google Play Store recently took a hard turn to the dark side, according to antivirus company Malwarebytes.
The Barcode Scanner app had appeared in the store for years, but in December it became clear that it “had gone from an innocent scanner to full on malware,” writes Nathan Collier, a researcher for the Silicon Valley company.
Malwarebytes said Google Play removed the app in early December after users reported that it was opening the default web browsers on phones to serve up ad pages — without any direct action by the device owners themselves. The company is labeling the malicious code as a trojan.
“It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect,” Collier writes.
The researcher makes a clear distinction: There are many ways apps can go from innocent to annoying with behavior that serves up advertisements. One example is an app whose software developer kit (SDK) allows for third-party companies to display ads within the app itself. That’s a common way for developers to monetize their creations, especially for a “free” version of an app. Sometimes the ads served up through those connections can become a nuisance, though, earning an app the label of “adware.”
In this case, Barcode Scanner’s SDK wasn’t the problem. This was more than just adware. Malwarebytes says it appears that the browser-opening code came from within the core Barcode Scanner software itself.
“[M]alicious code had been added that was not in previous versions of the app,” the researcher writs. “Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions.”
Malwarebytes says the app’s listed publisher is LavaBird LTD. A London-based company with that name says it specializes in “development and monetization of mobile games and applications.” The company’s website has no mention of Barcode Scanner.
The antivirus company notes that an app’s removal from the Google Play Store does not delete it from a user’s Android device.