This week, it was discovered that a Google Play Pass app with more than 10 million installs turned into malware and was spreading annoying pop-up ads. Google has long since removed this app from the Play Store, but due to its generic name – ‘Barcode Scanner’ – the original, legitimate Barcode Scanner app of the same name was in the crossfire, receiving numerous unfounded one-star reviews accusing it malware.

Left: The deleted malicious app. Turn right: The legitimate app.

Many people who were infected by the malware and identified the malicious Barcode Scanner app as the culprit probably went to the Play Store for a review right after the removal, but since the malicious scanner app was already removed, they only found the legitimate one Barcode Scanner listing and assumed this was the one causing their misery. They probably haven’t noticed that this app is open source and hasn’t been updated since 2019 – both factors make it unlikely that it would suddenly push malware. In fact, this legit barcode scanner was developed by Googlers and built on top of Google’s QR Code decoder library ZXing – hence the developer name ZXing Team. In fact, the app was one of the first ever available in the Android Market (now Play Store).

After our coverage and the Malwarebytes report, the legitimate Barcode Scanner app actually received far fewer 1-star releases as it probably became more apparent that the ZXing Team application was not the culprit. That’s why you’ll see an influx of 5-star ratings defending the app and confirming that it is not spreading malware.

When we tested XZing Team’s barcode scanner for ourselves, we couldn’t find any strange or suspicious behavior, although we did notice how outdated the app is today. It still relies on Android’s old consent system and comes with a warning that it was built for an older version of the OS and may not work properly. We can only hope that Google will fix the ratings for the app, but given that it is still at a comfortable 4-star average and is no longer actively maintained, the question is open whether Google is even interested in correcting this error at all.

If you’re still looking for a replacement for the malicious barcode scanner, we can only continue to recommend Google Lens, which is built into the Google app and already installed on all Android phones (the ‘app’ that you can download from the Play Store is just a shortcut for your launcher).