Trojan Dropper Malware Found In CamScanner Android App With 100+ Million Downloads

Kaspersky security researchers have discovered a Trojan Dropper malicious module hidden within the Android app CamScanner that's been downloaded over 100 million times on the Google Play Store. After they reported their findings, Google removed the app, but added, "it looks like the app developers got rid of the malicious code with the latest update of CamScanner." They conclude: "Keep in mind, though, that versions of the app vary for different devices, and some of them may still contain malicious code." BleepingComputer reports: As a confirmation to sudden increases in negative ratings and user reviews usually pointing out to something not exactly going right with an app, the researchers found "that the developer added an advertising library to it that contains a malicious dropper component." In this case, while CamScanner was initially a legitimate Android app using in-app purchases and ad-based monetization, "at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module," says Kaspersky.

The module dubbed Trojan-Dropper.AndroidOS.Necro.n is a Trojan Dropper, a malware strain used to download and install a Trojan Downloader on already compromised Android devices which can be employed to infect the infected smartphones or tablets with other malware. When the CamScanner app is launched on the Android device, the dropper decrypts and executes malicious code stored within a mutter.zip file discovered in the app's resources. "As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions," found the researchers.

Re:

[Anonymous Coward]

Android user here. You're a fucking retard.

Re:

[TheHawke]

It works and works well, if you know how to wriggle around their premium services. I've taken snaps of documents and created PDFs of them out in the field, then fired them off at people by email, surprising them with the speed of the turnaround. It works and works well, just keep clear of their cloud service.

Re:

[AHuxley]

The ads have to get the most care.
What users get for free is not like the expert attention needed for the paying ads?
Its an ad brand. To show ads to users.

Mobile Account?

[Retired ICS]

""As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions," found the researchers."

What the hell is a "mobile account"?

Re:Mobile Account?

[SilentChasm]

Some carriers provide the ability to subscribe to things directly through your cell phone bill. This allows the cell service provider to stay in the middle of some transactions instead of just being relegated to being a dumb pipe of voice, text, and data. I imagine they are very jealous of Apple/Google's app and content store revenue and that they setup such a system to try to take a cut of the market.

Re:

[ath1901]

This is one of my main concern about using smart phones for important stuff. We are encouraged to install random crap from random people and at the same time use it for things like banking, payments etc. There is a permission system but we are taught to ignore it just like the Windows "security" nag boxes of old. Important permissions should have been in bold-faced blinking red and excessive permissions (like network access for a flashlight) should not be allowed at all. It should be possible to sort apps

Re:

[LordWabbit2]

like network access for a flashlight

Or everything wanting access to my contacts list. This reminds me of the time I needed a flashlight to plug something into my PC under my desk without removing the whole thing. All the flashlights I found had flat batteries, couldn't find fresh batteries, so I thought I would just use my cellphone flash as a torch (which is built in nowadays, but it wasn't then). Every single app I downloaded asked for ridiculous permissions (other than camera) and I refused. Ended u

Re:

[Malays Bowman]

All you needed was to open any app or menu that produces a nearly all white display. That's all these flashlight apps really do. Yeah some can do different colors, or psychedelic effects, or whatever but this is not needed at all if you just need a flashlight.

iOS vs droid

[Way Smarter Than You]

I just had this conversation on another thread yesterday. This is one of the reasons I use an iPhone. When is the last time there was a malware app slipped through the apple store with a huge number of users? How often has that happened compared to google's store? So many people here bash Microsoft for windows being a virus / malware magnet then turn around to praise the awesome that is their droid. I'm seriously honestly not trying to bash but I just don't get it. I just see cognitive dissonance on

Re:

[Sander1685]

In fact, in late 2015 something similar happened on iOS. It also affected CamScanner, which is why this article piqued my interest. In that case, they were using a compromised version of Xcode itself (not downloaded from Apple but from somewhere else). The compromised compiler inserted malware into each binary it built - basically the "Ken Thompson Hack". It's quite surprising that something similar happened to them again. It's the "Fool me once..." thing I suppose.

Re:

[fluffernutter]

When you go to a department store does someone hold your hand there so you don't get lost?

Re: iOS vs droid

[Way Smarter Than You]

Yes. Yermom does. Did I properly descend to your level with that comment? You added no signal. All noise. Make you feel big?

Re:

[fluffernutter]

I'm just tired of hearing nothing about "personal responsibility" around here, but no one seems to take it with their personal devices.

Re: iOS vs droid

[Way Smarter Than You]

In what way do I not take responsibility for my devices and my choice of devices? I clearly stated I've tried them all. I chose the ones that require least administrative effort on my part while still getting shit done. I don't want to be a phone sysadmin. I don't want to worry about having the latest AV on my phone and does it have the latest malware signatures. I want a fricken phone! And since it's 2019, I want a phone with email, browser, chat, a few simple games, and all the apps I'm nearly requi

Re:

[fluffernutter]

Because it prevents you from being led around the nose by Apple. iTunes (or whatever method they corral you into now) should not be the only way to do things. There should be an effort to make it work for everyone rather than people who own other Apple devices. When every app has to have an embedded web server so you can get files to it, something is wrong with the model.

Re: iOS vs droid

[Way Smarter Than You]

I actively chose apple after using two droids. My alternative is being led around by google? Jesus, like that's so great. As far as iTunes goes, I don't use it although it does exist on windows. I have no idea if it's truly the same between iOS macOS and windows or if a Linux client exists but it definitely exists for windows for -many- year's. I chose Apple. It works for me. I don't want to be a phone sysadmin. It is more secure than droid. Google isn't slurping up my data. They support updates f

Re:

[fluffernutter]

That's fine if you don't need to use it. But you're probably using iCloud, which many people don't want to do. No one should be forced into storing data on a third party.

Re: iOS vs droid

[Way Smarter Than You]

Why do I want droid?

Re:

[fluffernutter]

Because it's the only OS that doesn't interfere with your interaction with the device. I guess Apple and Google both suck in their own way, but I don't need digital signals from my device to the PC right in front of me funneled through a medium that will expose me to more advertising. I get creeped out enough when I'm in an Apple store, I don't want that in my daily life.

Re: iOS vs droid

[Way Smarter Than You]

Lolomgwtfbbq! You are concerned with privacy so you buy from google? Now you're just trolling me. I think you have been all along. Bye.

Re:

[fluffernutter]

Are you responding to me? I never said I am concerned about privacy. I'm saying my concern about using my device directly outweighs my concern for privacy.

Was a Useful App

[lunadude]

...and now it is deleted from my phone. Never signed up for the cloud storage service.

Thanks again to

[AHuxley]

Kaspersky.

Detection and Cleanup

[tal_mud]

I have used CamScanner often. How do I detect if I am infected? Neither BitDefender nor ESET found any problems. I am wary of installing Kaspersky :-(

How do I remove and cleanup any problems?

Re: Detection and Cleanup

[Way Smarter Than You]

You install and use kaspersky to find this and then use a kaspersky scanner to find that and then you .... It's turtles all the way down.

Re:

[swillden]

I have used CamScanner often. How do I detect if I am infected? Neither BitDefender nor ESET found any problems. I am wary of installing Kaspersky :-(

How do I remove and cleanup any problems?

AFAICT, there's no evidence that this trojan dropper carried any payload capable of breaching the app sandbox, so uninstalling the app and deleting all files in the shared data space (go to Settings -> Storage -> Files) should take care of it. If you want to be completely certain, factory reset your phone.

Also, a comment on Android anti-virus apps... you're completely right to be wary of Kaspersky, but you should be wary of all of them. Unless you've rooted your device (in which case my previous c

I uninstalled mine...

[TheHawke]

And now I'm waiting for it to return. I've used it in the past and it is a well made app, suitable for contractors or work abroad where you don't have access to a scanner or PDF converter.

Re:

[b0bby]

I have used the paid version for many years now (not any subscription, just the license) - it has always worked well for me. I may try Office Lens instead now, but I think that the paid version, since it didn't have the ad framework, is likely not affected. I'm basing this on speculation, though, so don't take my word for it.

Re:

[kimgkimg]

I switched to ClearScanner. Works as easily as CamScanner use to, and has a lot of CamScanner defectors.

Those figures

[Malays Bowman]

I keep hearing about how X app has 100 million plus downloads, and yet I never hear about it until it's mentioned here on Slashdot, or other sites when there is malware involved. And I am very much in the know about these things.

I think these kind of numbers are artificially inflated, and likely by the botnet that the unfortunate few who download X are now unwittingly part of. "ooh, this app has 100M+ downloads! It must be legit!"

Google might want to look into patching the hole in Google Play that