Google has eliminated a preferred Android barcode scanner app with over 10 million installs from the Play Retailer after researchers discovered that it turned malicious following a December 2020 replace.
After mendacity dormant for years, the beforehand official Barcode Scanner app developed by LAVABIRD LTD self-updated and took over the customers’ gadgets utilizing malicious code now tagged by safety distributors as trojan malware.
The malicious conduct skilled by its hundreds of thousands of customers included seeing their default browser launching with none consumer interplay and displaying adverts that promoted different, doubtlessly malicious, Android apps.
“Lots of the patrons had the app put in on their cell gadgets for lengthy intervals of time (one consumer had it put in for a number of years),” Malwarebytes malware researcher Nathan Collier said.
“Then , after an replace in December, Barcode Scanner had gone from an harmless scanner to full on malware!”
Though this would not be the primary time malicious code has been present in Android apps, such incidents normally contain the usage of third-party software program growth kits (SDKs) utilized by free app variations to show adverts for monetization.
Nonetheless, on this case, the obfuscated and signed malicious code was bundled with the app and put in on the gadgets of greater than 10 million customers in a single fell swoop.
“To confirm that is from the identical app developer, we confirmed it had been signed by the identical digital certificates as earlier clear variations,” Collier added.
“Due to its malign intent, we jumped previous our unique detection class of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.”
Google eliminated LAVABIRD’s Barcode Scanner app from the Play Retailer after receiving Malwarebytes’ disclosure in December.
Regardless of this, there may nonetheless be hundreds of thousands of different gadgets nonetheless affected and displaying undesirable adverts to its unwitting userbase.
A LAVABIRD spokesperson was not instantly out there for remark when contacted by BleepingComputer earlier in the present day for remark.