A Barcode Scanner App With Millions of Downloads Goes Rogue

A benign barcode scanner with extra than 10 million downloads from Google Enjoy has been caught obtaining an up grade that turned it to the dark side, prompting the look for-and-advertising and marketing large to get rid of it.

Barcode Scanner, a single of dozens of this sort of apps obtainable in the formal Google application repository, started its existence as a reputable presenting. Then in late December, researchers with protection business Malwarebytes started obtaining messages from buyers complaining that advertisements had been opening out of nowhere on their default browser.

Malwarebytes mobile malware researcher Nathan Collier was at to start with puzzled. None of the buyers experienced a short while ago put in any apps, and all the apps they experienced presently put in came from Enjoy, a industry that regardless of its extended background of admitting destructive apps remains safer than most 3rd-party web pages. Sooner or later, Collier recognized the offender as the Barcode Scanner. The researcher claimed an update delivered in December provided code that was liable for the bombardment of advertisements.

“It is frightening that with a single update an application can switch destructive while going beneath the radar of Google Enjoy Safeguard,” Collier wrote. “It is baffling to me that an application developer with a well-liked application would switch it into malware. Was this the scheme all along, to have an application lie dormant, waiting to strike following it reaches acceptance?”

Collier claimed that adware is usually the result of 3rd-party application growth kits, which developers use to monetize apps obtainable for cost-free. Some SDKs, unbeknownst to developers, conclude up pushing the limitations. As Collier was able to establish from the code alone and a electronic certificate that digitally signed it, the destructive habits was the result of alterations built by the developer.

The researcher wrote:

No, in the case of Barcode Scanner, destructive code experienced been additional that was not in prior versions of the application. On top of that, the additional code employed large obfuscation to stay clear of detection. To validate this is from the same application developer, we verified it experienced been signed by the same electronic certificate as prior clean up versions. For the reason that of its malign intent, we jumped earlier our original detection group of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.

Google removed the application following Collier privately notified the corporation. So significantly, having said that, Google has still to use its Google Enjoy Safeguard resource to get rid of the application from units that experienced it put in. That means buyers will have to get rid of the application themselves.

Google representatives declined to say if the Safeguard function did or didn’t get rid of the destructive barcode scanner. Ars also emailed the developer of the application to look for comment for this submit but so significantly hasn’t been given a response.

Any person who has a barcode scanner put in on an Android device really should examine it to see if it’s the a single Collier recognized. The MD5 hash digest is A922F91BAF324FA07B3C40846EBBFE30, and the package deal identify is com.qrcodescanner.barcodescanner. The destructive barcode scanner should not be bewildered with the a single listed here or other apps with the same identify.

The standard guidance about Android apps applies listed here. People today really should put in the apps only when they provide correct benefit and then only following studying person reviews and permissions demanded. People today who haven’t employed an put in application in extra than six months really should also strongly take into consideration eliminating it. Unfortunately, in this case, following this guidance would fall short to have guarded many Barcode Scanner buyers.

It’s also not a terrible concept to use a malware scanner from a reputable corporation. The Malwarebytes application delivers application scanning for cost-free. Operating it after or twice a thirty day period is a great concept for many buyers.

This story initially appeared on Ars Technica.

Far more Excellent WIRED Tales