Sometime people you’ve known for some time go bad — not because of anything you did, it’s just where they are right now. Such is the case with a popular barcode scanner app, imaginatively called Barcode Scanner, that switched from scanning little black-and-white lines to handing out malware.
The Android app, which had more than 10 million downloads before it was eventually taken down from Google’s Play Store, used to be a regular old app, according to Malwarebytes researcher Nathan Collier. But then, late last year, something changed. Maybe it discovered drugs, or something.
Building a better barcode scanner
Basically, the app suddenly began serving malware to its users. Collier explains, “…in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions. Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR”.
The app started opening the phone’s browser on its own, directing smartphone owners to websites that… don’t look all that trustworthy. Picture the sort of scareware notifications that would terrify your grandmother into handing over her credit card details and you’ve got some idea where this scanner was going.
How to tell if you’re using it
You can use an MD5 checker against the following hash digest: A922F91BAF324FA07B3C40846EBBFE30. The app’s package name is com.qrcodescanner.barcodescanner, if you’d rather inspect it with an app inspector. You can just check who made you app — it’s LavaBird LTD who were hosting the malicious actor, in case you need it spelled out (we totally did).
Or, try and open the store page for the app in App Info (hold down the app until you get a popup — App Info is one of the options). Look for App details in store and select it. If the page no longer exists… well… time to run a malware scan.