CamScanner was actually a legitimate app, with no malicious intentions whatsoever, for quite some time, Kaspersky noted. It used ads for monetization and even allowed in-app purchases. However, at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module.
CamScanner, an Android app that has been available since 2010, has recently started installing malware. Google has removed the hugely popular CamScanner PDF creator Android app from the Google Play Store after learning that it recently started delivering malware.
The app has been around since 2010, and it’s been downloaded more than 100 million times. As the Russian antivirus firm Kaspersky discovered, the app recently began spreading malware on Android devices.
The company specializes in optical character recognition (OCR). Beyond its CamScanner app with OCR text-reading functionality, it sells apps that capture text from business cards, including CamCard and CamCard for Salesforce.
The malicious code was delivered via an ad library. The trojan resulted in intrusive ads and signed users up for paid subscriptions. It was also designed to connect to the user’s server and download additional code. According to Kaspersky, recent updates to the CamScanner app have apparently removed the malware.
The company has relied on ads and in-app purchases to earn revenue from CamScanner. However, according to researchers at Russian antivirus firm Kaspersky, recent versions of the app included a new advertising library that contained a Trojan designed to deliver malware to Android devices.
Kaspersky notes that the malicious code may show intrusive ads and sign users up for paid subscriptions. Intrusive ads are pesky, but no consumer wants to pay for subscriptions they never signed up for.
The so-called trojan dropper is configured to connect to the attackers’ servers, download additional code, and then execute that code on Android devices with the app installed.
The above-described Trojan-Dropper. AndroidOS.Necro.n functions carry out the main task of the malware: to download and launch a payload from malicious servers, the researchers said. As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.
The latest instance of malware underscores the continued challenge faced by Google to rid the platform of sketchy Android software.
The issues have also been compounded by what appears to a larger problem plaguing the Play Store: bad actors can mask their true intention by obfuscating malicious code behind encryption barriers that make it easy to bypass Google’s app vetting process.
Although the Mountain View behemoth’s antivirus efforts have resulted in the removal of hundreds of thousands of harmful apps, the security layer has not been entirely bulletproof to offer protection from all sorts of malware.
Android’s Malware Struggles
Google Play is home to millions of apps, many of which are updated regularly, and there’s no way Google can ensure that every single one is legit. Still, it is rare to see malware with a hundred million downloads.
Other Android malware incidents? More common. Ironically, the biggest scam that Android users fell for in early 2018 were fake virus alerts that were themselves malware. One firm detected over half a million of these scams in the first quarter of last year, along with more than a hundred thousand cases each of scams hidden in adult dating sites or posing as fake sweepstakes winner notifications.
Google Play Related Post
Even worse, there is a chance that an Android device is shipped with malware already installed. A May 2018 report from Avast Threat Labs uncovered a few hundred devices with pre-installed malware sold by vendors including ZTE, Archos and myPhone. The devices were all cheap, not certified by Google, and sold mainly in Russia, Germany, Italy, the UK, and France, according to Engadget.
The app is currently unavailable in the Google Play store, which is the safest place to install Android apps, but its corresponding iOS version is still available on Apple’s App Store.
The incident looks more like a case of developers accidentally using a malicious ad library, which are frequently found to be embedded in otherwise legitimate apps.
One ad library, called BeiTaPlugin, recently began shipping with 238 Google Play apps and affected 440 million users. And after those apps were pulled by Google, other Chinese Android app developers tried hiding the same library in another 60 apps that were again removed by Google.
Best Practices for Staying Safe
You can still download your Android apps from Google Play. Some apps can be malicious, but they are always rapidly removed when noticed. Here is how to limit the threats to your phone while downloading Android apps.
- ====> Get a trusted antivirus program: Yes, you might accidentally download malware while trying to download the right antivirus program.
- ====> Check the recent app reviews: Skimming the reviews is always a good idea. Pay the most attention to the most recent reviews, as they are more likely to be reviewing the most recent version of the app, and that is the version you are actually downloading.
- ====> Do not venture into un-Google certified territory: The Google Play store might not be totally safe, but it is still the best place to get your Android apps. Google vets the store, and, as we mentioned, it is rare to actually see an app as big as CamScanner turn to the dark side.
Sure, it is impossible to stay 100% safe. But with these tips, you can hover comfortably around the 99% safe mark.
Finally on CamScanner
While sticking to Play Store is still the safest way to download apps, be sure to check their permissions, reviews, and install them only if it’s absolutely essential for your day-to-day needs. As the researchers caution, malware might just be one app update away.