Barcode Scanner is a really popular app, it’s got over 10,000,000 installs from the Play Store. So for an app that popular to go bad comes as something of a surprise. Malware Bytes — through some of their users — detected that it seems to have installed malware on millions of phones.
The blog post outlines a number of details around ad-supported apps, including how the ads are fed into the app via SDK. Then further expanding on the fact that this was not the case with Barcode Scanner:
in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions. Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.
Users who have been affected are seeing an aggressive series of ads loading. How long this code has been in the app is not entirely clear, it may have been there for some time but not activated, or only added in the December update. If nothing else, the fact that this came to Google’s attention through Malware Bytes shows that even Google’s system isn’t perfect. So it’s worth staying aware of the apps you’ve got installed on your device. Should you notice any unusual behaviour from your phone and if you’re unsure, check to make sure there are no security alerts.