A popular app has been removed from Google Play after it was discovered that it had delivered Trojanized malware to millions of users. phones via an update.
Until recently, barcode scanners were a simple application that provided users with a basic QR code reader and barcode generator, useful for things as make purchases and redeem discounts. The app, which has been around since at least 2017, is owned by developer Lavabird Ldt., And claims to have over 10 million downloads, shows Wayback Machine.
However, a rash of malicious activity was recently traced back to the app. Users began to notice something strange going on with their phones: Standard readers were constantly hijacked and redirected to random ads, apparently out of nowhere. For a number of people, it was not clear what caused the disruption, as many had not recently downloaded any apps. After enough victims wrote about their experiences on a web forum, a user finally pointed the finger at the barcode.
Researchers with Malwarebytes have confirmed that the scanner is the culprit, and release one new report it shows it delivered the ad-producing malware on users’ phones, probably via a December update. The update destroyed the previously benign app – it took it from “an innocent scanner to complete malware”, write researchers.
Researchers distinguish Barcodes ad-pushing malware from basic ad SDKs – programs used by publishers to start advertising in the revenue generation app – and claimed that “this was not the case” with barcode scanner. The person who injected the malicious code used powerful fabrication to hide the fact that it was there, researchers say, adding that the app appears to have been deliberately transformed from a regular app into a malicious one via the update. They write:
It’s scary that with an update, an app can become harmful while going under the radar of Google Play Protect. It’s confusing to me that an app developer with a popular app would do that about malware. Was this the scheme all the time, to have an app lying dormant and waiting to strike after it has become popular? I guess we’ll never know.
While Google has pulled barcode scanners from its app store, it is not away from affected devices. Users of the app still need to manually uninstall it from their phones.
Barcode Scanner’s owner, Lavabird Ltd., was incorporated in 2020 and is registered at an address in London, according to available electronic records. The company’s director, Dmytro Kizema, lives in Ukraine.
Gizmodo has reached out to Lavabird and will update if we hear back.