reader comments
108 with 80 posters participating, including story author
A benign barcode scanner with more than 10 million downloads from Google Play has been caught receiving an upgrade that turned it to the dark side, prompting the search-and-advertising giant to remove it.
Barcode Scanner, one of dozens of such apps available in the official Google app repository, began its life as a legitimate offering. Then in late December, researchers with security firm Malwarebytes began receiving messages from customers complaining that ads were opening out of nowhere on their default browser.
One update is all it takes
Malwarebytes mobile malware researcher Nathan Collier was at first puzzled. None of the customers had recently installed any apps, and all the apps they had already installed came from Play, a market that despite its long history of admitting malicious apps remains safer than most third-party sites. Eventually, Collier identified the culprit as the Barcode Scanner. The researcher said an update delivered in December included code that was responsible for the bombardment of ads.
“It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect,” Collier wrote. “It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity?”
Collier said that adware is often the result of third-party software development kits, which developers use to monetize apps available for free. Some SDKs, unbeknownst to developers, end up pushing the limits. As Collier was able to establish from the code itself and a digital certificate that digitally signed it, the malicious behavior was the result of changes made by the developer.
one here or other apps with the same name.
The usual advice about Android apps applies here. People should install the apps only when they provide true benefit and then only after reading user reviews and permissions required. People who haven’t used an installed app in more than six months should also strongly consider removing it. Unfortunately, in this case, following this advice would fail to have protected many Barcode Scanner users.
It’s also not a bad idea to use a malware scanner from a reputable company. The Malwarebytes app provides app scanning for free. Running it once or twice a month is a good idea for many users.
