A popular app was removed from Google Play after it was discovered to deliver Trojan malware to millions of users phones through an update.
Until recently, the Barcode Scanner was a simple application that provided users with a basic QR code reader and a barcode generator, useful for things that making purchases and capitalizing on discounts. The application, existing at least since 2017, is owned by the developer Lavabird Ldt. And it claims to have over 10 million downloads, shows the Wayback car.
However, a malicious eruption of activity was recently traced back to the application. Users have begun to notice something strange happening to their phones: their default browsers have been hijacked and redirected to random ads, seemingly out of nowhere. For a number of people, it was not clear what caused the interruptions – because many have not recently downloaded any applications. After quite a few angry victims wrote about their experiences on a web forum, a user pointed to the barcode.
Researchers with Malwarebytes have verified that the scanner is to blame, releasing a new report that looks delivered malware that produced ads on users’ phones, probably through a December update. The update ruined the previously benign application – moving it from “an innocent scanner to completely full of malware”, the researchers write.
G / O Media may receive a commission
Researchers differentiate malware that promotes barcodes from ad SDKs – programs used by publishers to launch advertising in the application in order to generate money – claiming that “it was not the case” with the barcode scanner. Anyone who injected malicious code used an intense offense to hide the fact that it was there, the researchers say, adding that the app appears to have been intentionally transformed from a normal app to a malicious one through the update. They are writing:
It’s scary that, with a single update, an app can become malicious while going under the Google Play Protect radar. It is confusing to me that an application developer with a popular application would turn it into malware. Was this scheme all the time, for an application to be inactive, waiting to hit after it reaches popularity? I don’t think we’ll ever know.
While Google removed Barcode Scanner from its app store, has not disappeared from the affected devices. Users of the application will have to manually uninstall it from their phones.
The owner of the Barcode Scanner, Lavabird Ltd., was established in 2020 and is registered at an address in London, according to available online records. The director of the company, Dmytro Kizema, is in Ukraine.
Gizmodo has contacted Lavabird and will be updated if we hear.