With one update, this malicious Android app hijacked millions of devices

With a single update, a popular barcode scanner app on Google Play transformed into malware and was able to hijack up to 10 million devices. 

Lavabird Ltd.'s Barcode Scanner was an Android app that had been available on Google's official app repository for years. The app, accounting for over 10 million installs, offered a QR code reader and a barcode generator --  a useful utility for mobile devices. 

The mobile application appeared to be legitimate, trustworthy software, with many users having installed the app years ago without any problems -- until recently. 

According to Malwarebytes, users recently started to complain of adverts appearing unexpectedly on their Android devices. It is often the case that unwanted programs, ads, and malvertising are connected with new app installations, but in this example, users reported that they had not installed anything recently. 

Upon investigation, the researchers pinpointed Barcode Scanner as the culprit. 

A software update issued on roughly December 4, 2020, changed the functions of the app to push advertising without warning. While many developers implement ads in their software in order to be able to offer free versions -- and paid-for apps simply do not display ads -- in recent years, the shift of apps from useful resources to adware overnight is becoming more common. 

"Ad SDKs can come from various third-party companies and provide a source of revenue for the app developer. It's a win-win situation for everyone," Malwarebytes noted. "Users get a free app, while the app developers and the ad SDK developers get paid. But every once in a while, an ad SDK company can change something on their end and ads can start getting a bit aggressive."

Sometimes, 'aggressive' advertising practices can be the fault of SDK third-parties -- but this was not the case when it comes to Barcode Scanner. Instead, the researchers say that malicious code was pushed in the December update and was heavily concealed to avoid detection.

The update was also signed with the same security certificate used in past, clean versions of the Android application. 

Malwarebytes reported its findings to Google and the tech giant has now pulled the app from Google Play. However, this doesn't mean that the app will vanish from impacted devices, and so users need to manually uninstall the now-malicious app. 

Transforming clean SDKs into malicious packages is only one method employed to avoid Google Play protection, with time checks, long display times, the compromise of open source libraries used by an app, and dynamic loading also cited as potential ways for attackers to compromise your mobile device.

Another interesting method, spotted by Trend Micro, is the implementation of a motion sensor check. In 2019, Android utility apps were found to contain the Anubis banking Trojan which would only deploy once a user moved their handset. 

ZDNet has reached out to the developer and will update if we hear back. 

Previous and related coverage

• New ransomware masquerades as COVID-19 contact-tracing app on your Android device
  
• This new Android mobile malware targets banks, financial services across Europe
  
• These malicious Android apps will only strike when you move your smartphone
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0