A popular app was removed from Google Play after it was discovered to have delivered malware containing Trojan to millions of users phones via an update.
Until recently, Barcode Scanner was a simple application that provided users with a simple QR code reader and barcode generator, useful for things Like it make purchases and redeem discounts. The app, which has been around since 2017, is owned by developer Lavabird Ldt. And claims to have had more than 10 million downloads, the Wayback Machine shows.
Recently, however, a spate of malicious activity has been traced to the app. Users started to notice something strange with their phones: their default browser kept getting hijacked and redirected to random ads, seemingly out of the blue. For some people, it was not clear what was causing the disruptions, as many had not downloaded any apps recently. After enough irritated victims wrote about their experiences on a web forum, a user finally pointed the finger at Barcode.
Researchers with Malwarebytes have verified that the scanner is the culprit and a new report that shows it delivered the ad-producing malware to users’ phones, likely through an update in December. The update ruined the previously benign app and turned it from “a harmless scanner to full of malware,” researchers write.
G / O Media can receive a commission
Researchers distinguish Barcode ad-pushing malware from base ad SDKs – programs used by publishers to launch in-app advertising for monetization – claiming that “it wasn’t” with Barcode Scanner. Whoever injected the malicious code used heavy obfuscation to hide the fact that it was there, researchers say, adding that the app appears to have been deliberately transformed from a normal app to a malicious app via the update. They write:
Frighteningly, an app can turn malicious with one update while going under the Google Play Protect radar. I’m surprised an app developer with a popular app would turn it into malware. Was this the plan all along for having an app idle, waiting to take hold after it gains popularity? I don’t think we’ll ever know.
While Google has pulled Barcode Scanner from its app store, it has not disappeared from the affected devices. Users of the app will still have to manually delete it from their phones.
The owner of Barcode Scanner, Lavabird Ltd., was founded in 2020 and is registered at an address in London, according to available online records. The company’s director, Dmytro Kizema, lives in Ukraine.
Gizmodo has contacted Lavabird and will update if we hear anything.