A benign barcode scanner with greater than 10 million downloads from Google Play has been caught receiving an improve that turned it to the darkish facet, prompting the search-and-advertising large to take away it.

Barcode Scanner, one of dozens of such apps accessible within the official Google app repository, started its life as a legit providing. Then in late December, researchers with safety agency Malwarebytes started receiving messages from prospects complaining that adverts had been opening out of nowhere on their default browser.

Malwarebytes cellular malware researcher Nathan Collier was at first puzzled. None of the shoppers had lately put in any apps, and all of the apps that they had already put in got here from Play, a market that regardless of its lengthy historical past of admitting malicious apps stays safer than most third-party websites. Ultimately, Collier recognized the perpetrator because the Barcode Scanner. The researcher mentioned an replace delivered in December included code that was accountable for the bombardment of adverts.

“It’s horrifying that with one replace an app can flip malicious whereas going beneath the radar of Google Play Defend,” Collier wrote. “It’s baffling to me that an app developer with a well-liked app would flip it into malware. Was this the scheme all alongside, to have an app lie dormant, ready to strike after it reaches recognition?”

Collier mentioned that adware is usually the end result of third-party software program growth kits, which builders use to monetize apps accessible totally free. Some SDKs, unbeknownst to builders, find yourself pushing the bounds. As Collier was capable of set up from the code itself and a digital certificates that digitally signed it, the malicious conduct was the end result of adjustments made by the developer.

The researcher wrote:

No, within the case of Barcode Scanner, malicious code had been added that was not in earlier variations of the app. Moreover, the added code used heavy obfuscation to keep away from detection. To confirm that is from the identical app developer, we confirmed it had been signed by the identical digital certificates as earlier clear variations. As a result of of its malign intent, we jumped previous our authentic detection class of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.

Google eliminated the app after Collier privately notified the corporate. To this point, nonetheless, Google has but to make use of its Google Play Defend device to take away the app from units that had it put in. Which means customers must take away the app themselves.

Google representatives declined to say if the Defend function did or didn’t take away the malicious barcode scanner. Ars additionally emailed the developer of the app to hunt remark for this publish however to date hasn’t obtained a response.

Anybody who has a barcode scanner put in on an Android gadget ought to examine it to see if it’s the one Collier recognized. The MD5 hash digest is A922F91BAF324FA07B3C40846EBBFE30, and the bundle title is com.qrcodescanner.barcodescanner. The malicious barcode scanner should not be confused with the one right here or different apps with the identical title.

The standard recommendation about Android apps applies right here. Individuals ought to set up the apps solely after they present true profit after which solely after studying consumer critiques and permissions required. Individuals who haven’t used an put in app in additional than six months must also strongly think about eradicating it. Sadly, on this case, following this recommendation would fail to have protected many Barcode Scanner customers.

It’s additionally not a foul thought to make use of a malware scanner from a good firm. The Malwarebytes app gives app scanning totally free. Operating it a couple of times a month is a good suggestion for a lot of customers.

This story initially appeared on Ars Technica.

Extra Nice WIRED Tales