Last week, we reported that Google had removed a popular Chrome extension because new owners turned it into a malware app. In a disturbingly common rerun, much the same thing has happened to a popular Android app, downloaded millions of times from the Play Store. Out of nowhere, it started displaying malicious ads, and now it̵
Malwarebytes documents how its forum users started reporting strange pop-up ads and website redirects on their mobile browsers just over a month ago. After some browsing by the service’s staff, it was determined that a December 4 update of “Barcode Scanner” by Lavabird LTD had started shifting ads for unnecessary (and potentially fraudulent) security servers to its millions of users.
Malwarebytes has warned Google and the listing for the app has been removed from the Play Store, but it has reportedly not been removed remotely from the affected users’ phones (as was the case with the Chrome extension). Presumably, the app has bypassed the Play Store’s normally robust set of protections, Google Play Protect, by installing the malicious code as a harmless update rather than starting out as a bogus app: it was used harmlessly for years before the update.
It is not clear what prompted the change. In the case of The Great Suspender extension, it was clearly the new owners of the service who steered it in a bad way. Before Barcode Scanner, there was no apparent change in ownership or developer behavior that made the app malicious. If you’re wondering what specific canner app it is, it used to run out https://play.google.com/store/apps/details?id=com.qrcodescanner.barcode scanner. Oddly, the developer of that app is still active on the Play Store, with a similar app (not updated since August) still live. It is listed with an identical icon and the (possibly deliberate?) ‘Barcode scanner’ spelling error. The developer information lists Maharashtra, India as the location, with a generic Gmail address and a blank web page. Earlier versions of the app, apparently under the same developer account, showed a harmless WordPress page as a website.
Google’s efforts to keep Android and Chrome “clean” have been generally excellent so far, despite their inherent vulnerability as open platforms. But vicious actors can be resourceful in their attempts to bypass security, and it seems that updates to long-trusted applications have become something of a blind spot. Google needs to better protect its users on all platforms.