Popular Barcode Scanner App Transforms Into Adware

Google has reacted quickly and removed a popular Android app on its Google Play Store, that was discovered to the source of unwanted advertising.

The rogue app in question is called Barcode Scanner, and Malwarebytes explained in a blog post last week how its forum users had tipped off its security researchers about the app.

What makes this an issue is that Barcode Scanner had been downloaded 10 million times, but “after an update in December, Barcode Scanner had gone from an innocent scanner to full on malware!” said Malwarebytes.

Barcode scanner: Source Malwarebytes

Adware infection

“Late last December we started getting a distress call from our forum patrons,” the security researchers blogged. “Patrons were experiencing ads that were opening via their default browser out of nowhere. The odd part is none of them had recently installed any apps, and the apps they had installed came from the Google Play store.”

“Then one patron, who goes by username Anon00, discovered that it was coming from a long-time installed app, Barcode Scanner,” Malwarebytes wrote. “An app that has 10,000,000+ installs from Google Play! We quickly added the detection, and Google quickly removed the app from its store.”

The Barcode Scanner is from a company called LavaBird Ltd, which reportedly has at least four other apps on the Google Play Store.

The firm reportedly uses an address in central London, which is reported to be just a forwarding service as other companies are also registered at the same address.

LavaBird, according to the Register, seems to have been registered in London in March 2020 by a 23-year-old Ukrainian man who lives in Kyiv.

And Malwarebytes has alleged that the LavaBird deliberately hide the change in code in the update.

“The majority of free apps on Google Play include some kind of in-app advertising,” blogged Mlawarebytes. “They do this by including an ad SDK to the code of the app. Usually at the end of the app’s development. Paid-for versions simply do not have this SDK included.”

Malign intent

“But every once in a while, an ad SDK company can change something on their end and ads can start getting a bit aggressive,” said the security firm. “Sometimes even landing the apps that use it in the Adware category. When this happens, it is not the app developers’ doing, but the SDK company. I explain this method to say that in the case of Barcode Scanner, this was not the case.”

“No, in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app,” Malwarebytes blogged. “Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions. Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.”

“It is hard to tell just how long Barcode Scanner had been in the Google Play store as a legitimate app before it became malicious,” said Malwarebytes. “Based on the high number of installs and user feedback, we suspect it had been there for years.”

“It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect,” it concluded. “It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity? I guess we will never know.”

Users are advised to uninstall the app, and Malwarebytes provided the hyperlink of the offending app (available here), to avoid confusion as there are plenty of genuine barcode scanner apps still on Google Play.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago