A popular app was removed from Google Play after it was found to have infected millions of users with Trojanized malware. Phones have an update.
Until recently, the barcode scanner was a straightforward application that provided users with a basic QR code reader and barcode generator that were useful for things to like Make purchases and redeem discounts. The app, which has been around since at least 2017, belongs to the developer Lavabird Ldt. And is said to have over 10 million downloads. the Wayback Machine shows.
However, a rash of malicious activity was recently attributed to the app. Users noticed something strange with their phones: their default browsers kept being hijacked and redirected to random advertisements, seemingly out of nowhere. It wasn’t clear to a number of people what was causing the glitches – as many had not recently downloaded any apps. After enough disgruntled victims wrote about their experience on a web forum, one user finally pointed a finger at barcode.
Researchers with Malwarebytes have confirmed that the scanner is the culprit, and one new report this shows It delivered the ad-producing malware onto users’ phones, likely via a December update. The update corrupted the previously harmless app and switched it from an “innocent scanner to a fully malware” one, researchers write.
The researchers distinguish barcode adware malware from basic ad SDKs – programs used by publishers Launch in-app advertising for monetization purposes, claiming that the barcode scanner did not. Whoever injected the malicious code heavily obscured the fact that they were there, researchers say. The app seems to have been purposely transformed from a normal app into a malicious app via the update. They write:
It’s terrifying that with an update under the Google Play Protect radar, an app can become malicious. It is confusing to me that an app developer would turn it into malware with a popular app. Has this all along been the scheme of leaving an app hanging and waiting to strike after it has grown in popularity? I think we’ll never find out.
While Google pulled barcode scanners from its app storeit has not disappeared from affected devices. Users of the app will still have to manually uninstall it from their phones.
The owner of Barcode Scanner, Lavabird Ltd., was founded in 2020 and is registered with an address in London. according to available online records. The company’s director, Dmytro Kizema, lives in Ukraine.
Gizmodo has reached out to Lavabird and will update when we hear something.