A barcode scanner application found on Google Play downloaded more than ten million times has been the vector for a giant-scale computer virus infection.
The application in question is called Barcode Scanner and from December 2020 it has been gradually more and more the subject of complaints from consumers. Nathan Collier, researcher for Malwarebytes, he dealt with the case at first he was perplexed.
None of the customers had recently installed any apps, and any apps they had already installed came from Google official store, a store that despite a less than perfect history remains much safer than third-party sites. After several searches Collier identified the culprit in Barcode Scanner.
The researcher said an update delivered in December included code that was then responsible for a large amount of malicious advertisements. The researcher was surprised by the possibility that this application managed to pass under the radar of Google Play Protect. It is also absurd how the application developer managed to transform the program into a malware, under the eyes of all without anyone noticing.
How does an application turn into a malware?
In the words of the researcher, the transformation of a positive app into a malware is the result of third-party software development kits, used by developers to monetize applications. From the application code and the digital certificate that accompanies the code, the above researcher determined that the malicious behavior was the result of changes made directly by the developer.
In fact, the researcher stated:
No, in the case of Barcode Scanner, malicious code was added that was not present in previous versions of the app. Also, the added code was heavily masked to make it difficult to detect.
To verify that it came from the same developer of the app, we confirmed that it checked the digital certificates of the new version and the old one. Given the malicious intent of the change, we decided to define the added code as a trojan instead of an Adware.
Google removed the malicious application from the store, but did not remove it from infected smartphones. This last operation must be performed by the user.
