Just one update and a legitimate app can turn into a parasite for your devices
In just one update, a popular barcode reader app on Google Play turned into malware and could hijack up to 10 million devices.
The barcode reader from Lavabird Ltd. has been available on the Google Play Store for years. The Android app, which has more than 10 million installs, offers a QR code reader and barcode generator - a useful service for mobile devices.
Until recently, this mobile app seemed to be legitimate and trustworthy software, with its many users who installed it years ago never having any issues.
Unexpected ads appearing
According to Malwarebytes, users have recently started to complain about the unexpected appearance of ads on their Android devices. Oftentimes, unwanted programs, ads, and malicious adware are related to installing new apps, but in this example, users reported that they had nothing installed recently.
After investigation, the researchers identified the barcode reader as the culprit.
A software update, released around December 4, 2020, changed the functions of the app to allow push advertising without warning. While many developers embed advertisements in their software so that they can offer free versions - and paid apps just don't display ads - in recent years, the overnight shift from useful resource apps to software advertising is more and more frequent.
“Advertising SDKs can come from various third-party companies and be a source of revenue for the app developer. It's a win-win situation,”notesMalwarebytes. “Users get a free app, while app developers and ad SDK developers get paid. But every once in a while an ad SDK company might change something on their end and the ads might start to get a bit aggressive. "
Google removed the app from the Play Store
Sometimes "aggressive" advertising practices can be done by third parties, but this was not the case with the barcode reader. On the contrary, the researchers say the malicious code was pushed into the December update and heavily concealed so as not to be detected. The update was also signed with the same security certificate that was used in previous and clean versions of the Android app.
Malwarebytes shared their findings with Google. The web giant has now removed the app from its app store. However, this does not mean that the app will disappear from the affected devices, and therefore users must manually uninstall the now malicious app.
Turning clean SDKs into malicious packages is just one method used to avoid the protection of Google Play, with time checks, long display times, the compromise of open source libraries used by an application, and the dynamic loading also cited as a potential way for attackers to compromise your mobile device.
Another interesting method, spotted by Trend Micro, is the implementation of motion sensor control. In 2019, it was discovered that Android utility apps contained the Anubis banking Trojan, which only deploys when a user moves their phone.