Barcode Scanner, a popular Android app, slipped undesirable code into an update in early December, an update that had the potential to reach more than 10m devices though actual distribution is believed to be far less.
Several weeks later, Google removed the app from Google Play. Those who downloaded the software and accepted the update may still have on their mobile devices the problematic code, which appears to open the browser and visits websites all by itself.
Barcode Scanner, distributed by a London-based company called LavaBird, received an update on December 4, 2020, that appears to have introduced the code in question, according to Nathan Collier, a security researcher at Malwarebytes.
LavaBird – which was incorporated in March, 2020, and is run by Dmytro Kizema, a resident of Ukraine – did not immediately respond to a request for comment. However, those involved appear to have been using variations on that name for several years and have other apps that they use to sell traffic to advertisers.
Collier said in a blog post that this was not a case of a third-party SDK within the app going weird: it was a deliberate change. “Furthermore, the added code used heavy obfuscation to avoid detection,” he noted.
Collier said Malwarebytes confirmed that the app developer was responsible because the code-signing certificate for known clean versions of the code matched the altered version.
Oops: Google admits failing to wipe all Android apps with location-selling X-Mode SDK from its Play Store
After the update was pushed out, it took about three weeks before people’s complaints drew attention to Barcode Scanner, at which point Malwarebytes began to block it. The software, which opens users’ browsers, redirects them to unwanted websites, and prompts further software installation, has been dubbed Android/Trojan.HiddenAds.AdQR.
The Register asked Google to confirm when it removed Barcode Scanner and whether it has taken, or plans to take, any action to remove subverted versions of Barcode Scanner on Android users’ devices. Google’s app defense mechanism, Google Play Protect, has the ability to issue notifications about apps, to disable them, and to remove them automatically. We’ve not heard back from Google about how it responded.
Collier, via a spokesperson for Malwarebytes, said the antivirus biz could not confirm when Google removed the app but it was after he posted about it on the Malwarebytes forum on December 24, 2020. He said he’s not sure how many people actually installed the update, and added that Google Play Protect has not removed the app from Android devices.
Switching up barcode scanning apps appears to be popular. In June last year, security biz TrendMicro reported finding two adware-laden barcode reading apps in Google Play, with 2m downloads between them. The outfit also identified 51 other apps that exhibited the same adware behavior. ®