Android Barcode Scanner With 10 Million+ Downloads Infects Users

An anonymous reader quotes a report from Ars Technica: A benign barcode scanner with more than 10 million downloads from Google Play has been caught receiving an upgrade that turned it to the dark side, prompting the search-and-advertising giant to remove it. Barcode Scanner, one of dozens of such apps available in the official Google app repository, began its life as a legitimate offering. Then in late December, researchers with security firm Malwarebytes began receiving messages from customers complaining that ads were opening out of nowhere on their default browser.

[Malwarebytes mobile malware researcher Nathan Collier] wrote: "No, in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions. Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR." Google removed the app after Collier privately notified the company. So far, however, Google has yet to use its Google Play Protect tool to remove the app from devices that had it installed. That means users will have to remove the app themselves.

Re:

[kot-begemot-uk]

What makes you think that a hacked app will be using Google's ad services to serve ads? The type of ads which are served by these are not something you can find on Google's ad platform in most (if not all) jurisdictions.

Not so curated

[PingSpike]

Its a good thing users aren't downloading dangerous software from just any old place on the web and are instead getting trusted software from Google's official source where they know that Google engineers have closely checked the source for any malicious intent. And google can help keep your software up to date with the latest versions to assure the highest level of security!

Re:

[thegarbz]

I mean what's the point. If you have a Google device you almost certainly have Google Now / Cards / Search / Whateverthefuckitscallednow. Just hit the search bar, click the little image button, and point it at a barcode. Or just use your camera app, which these days also has this functionality.

My current 4 year old phone out of the box in factory preset condition comes with 2 ways of scanning barcodes.

Why didn't Android's camera do this from day 1?

[drinkypoo]

I used that very app for a long time as my barcode scanner because it would scan barcodes and QR codes. But why didn't Android's camera app do that? So weak.

Re:

[thereddaikon]

I wondered this for a long time too. Turns out its because Google effectively abandoned (because of course they fucking did) the stock android camera app a long time ago. They shifted all of their support to the Pixel specific camera app which of course only works on Pixel phones. So everyone else is left out in the cold to either use a camera app from the 2000's or if they are big enough life Samsung, to just develop their own. This leads people to downloading dedicated apps to gain functionality that you

Re:

[retchdog]

pay the developer?

Re:

[thegarbz]

You're thinking to specific. The reality is the plain simple "Google" app that is already on every phone has the lens functionality embedded too, the lens button is on the search bar within the app. And when Google abandoned the default camera all the other camera apps too them to task. The Samsung Camera for example also scans barcodes.

Re:

[bill_mcgonigle]

> I used that very app for a long time as my barcode scanner because it would scan barcodes and QR codes

Try NeoReader. Its wifi connector even works reliably on most flavors of Android.

Re:

[thegarbz]

But why didn't Android's camera app do that? So weak.

It does. On top of that, Google's Search app on the phone does it too. There are literally already 2 barcode scanner apps on most phones.

Re:

[drinkypoo]

But why didn't Android's camera app do that? So weak.

It does.

It didn't for years.

Re:

[thegarbz]

Not sure which years you're talking about but my 4 year old phone, and my girlfriend's 4 month old phone both do. I think you'll find most consumers aren't carrying around a relic. And again, the Google search app integrated this function too so even if it wasn't part of the camera it's still irrelevant.

Heavy obfuscation?

[BeneathTheVeil]

Sounds like my 6am code.

Re:

[oldgraybeard]

+1 funny

not exactly a "walled" garden

[v1]

but there's definitely a tiger on the loose in the garden, and it seems that Google is OK with that??

What's the point of their Protect tool if they don't use it when the exact reason it exists comes up?

Re:

[drinkypoo]

This is exactly why I turned play protect off when I was using google play (I'm not now.) It's seemingly never used to protect users, which means its only use cases must be nefarious.

Re:

[cmseagle]

Well, the original walled garden had a pretty sneaky talking snake in it, so I suppose none of this should come as a huge surprise.

Re:

[Aighearach]

Because the people who care use f-droid anyway.

That's why I don't upgrade when I don't need to

[Rosco P. Coltrane]

Be it in OSes, Android or anything. I try to keep abreast of vulnerabilities and update piecemeal when I need to. But automatic updates? I don't think so: all it takes is one well-intentioned dev who decided to rewrite the whole UI I know and like to the latest fad, one regression or - like in this case - one sellout to the dark side to ruin my day.

I validate what I use and then I stick with it unless there's a good reason not to. I'll never understand why people choose to relinquish control of their entire machine blindly to third-parties with automatic updates. It's mind-boggling to me.

Re:

[srichard25]

Because many times those updates are done to plug a security hole or serious bug in the app, which is something that I personally want as soon as possible.

Re:

[bws111]

It's mind-boggling? Really? You can't understand that the vast majority of people have better/more interesting things to do than 'keep abreast of vulnerabilities'?

I do that for a living and still ...

[raymorris]

> You can't understand that the vast majority of people have better/more interesting things to do than 'keep abreast of vulnerabilities'?

At my old job I maintained a database of every CVE (vulnerability) that existed. At my current job, I have to analyze the 80 or so vulnerabilities discovered and patched in Microsoft products each month, along with Cisco, Palo Alto and a few others. It's my job to decide which ones have to be rolled out TODAY, which ones need to be done this week, and which can be incl

Re:That's why I don't upgrade when I don't need to

[Ichijo]

Just give me fine control over automatic updates:

1. Security flaws only.
2. Also bug fixes. No new features.
3. Also minor version upgrades. New features are allowed but no breaking changes.
4. Also major version upgrades, including any breaking changes.

#1 and #2 are PATCH level changes under Semantic Versioning [semver.org] and might get mixed together but I think that's fine.

Re:

[Alumoi]

And then every freaking update will be marked as 1 or 2.
After all, NOT uploading every piece of info to the mothership is a security flaw/bug.

Re:

[Rosco P. Coltrane]

Exactly. Like when Microsoft bundles a Win10 upgrade as a critical security patch.

Re:

[thegarbz]

Uah 4 options? Too complicated.

- Sincerely, the 1 billion other phone users who think you, like, clearly don't get it.

Re:

[Luthair]

Applications on iOS can open browser windows too.

Re:

[cmseagle]

I don't find that the summary or article do a great job of explaining the exact nature of the malicious activity, but it sounds like ads were being opened in the default browser at times that the user wasn't using the Barcode Scanner app in the foreground. In my years of using iOS devices, I've never seen an app open a webpage in Safari while the app was in the background. I would've assumed that was impossible.

Giant meteor please

[mvdwege]

Goddamn it people are stupid. Google pulled the malware app, and now people are flooding the reviews of another Barcode Scanner app (with the same name) with one star reviews claiming that is the malware. I had to doublecheck with the Ars article to find out that Barcode Scanner from ZXing Team [google.com] installed on my phone was not the afflicted app.

Give me a giant meteor impact. Surely the cockroaches can't be worse than us once they've evolved after that.

Re:Giant meteor please

[Tx]

Well, it doesn't help that TFA (both here and on Ars) seem to lack some simple details that would make it easy to see which app we're talking about, such as the developer name. How many people know how to find the MD5 hash of an app, or the underlying package name?

Re:

[mvdwege]

Erm, the Ars article specifically calls out the ZXing Barcode Scanner app as safe, not the malware app. I explicitly mentioned that, even.

Re:

[klui]

Yeah not identifying the dev name was a mistake.

archive.org shows app name is "Barcode Scanner," dev name was also "Barcode Scanner." The problem is the cache doesn't show 10 million+ users.

Re:

[samwichse]

Thank you for actually giving that name. I have the ZXing Team one installed too and I was wondering.

Malwarebytes

[b1ffster]

Malwarebytes on Android told me about this weeks ago and I removed it,

Happened to me!

[rookiebeotch]

This shit happened to my phone. I went nuts uninstalling app after app until i reached the barcode one. fucking drove me insane with the dam pop ups.

Open Source apps.

[SysEngineer]

I look for open source apps. It can still happen but open source you can look at the code. And if you are really paranoid, build it your self.

Re:

[OrangeTide]

Open source stuff gets trojans and malware too, usually during packaging. While good documentation of build environments makes it easier for multiple people to produce identical binaries, it's still not a universal property of open source projects. Open Source does give you a lot of free auditing from third parties (e.g. users), but OSS is not a panacea for stopping malware.

How come Google's Project Zero

[TuballoyThunder]

doesn't flag the Google App Store as having an unpatched security vulnerability? How many malicious apps does it take before somebody from Google P0 takes a look at the demonstrably broken review process?

Because there's no CONSEQUENCES for shitty stuff

[argStyopa]

What possible disincentive is there from the malignant dev's point of view? None.
He sells some ads, makes some $, gets shut down.

Uses that money to buy some app from some other starving developer, does the same thing.
There's zero practical possibility to filter his work out of the store pre-emptively.

I'm asking seriously.

Until someone rolls around his place late one night and breaks a kneecap or two, why would he POSSIBLY stop?

Re: Which barcode scanner app?

[arielCo]

The one by ZXing is safe but has been flooded with bad reviews by idiots blaming it going by the name. The bad app(le) had been taken out by the time the Ars article came out.

Of course

[sjames]

Naturally, rather than make the app un-downloadable in the app store but leaving it there so people can easily figure out that they have malware or uninstalling it and suggesting alternatives, Google just poofed it leaving no evidence it was ever there.

Best yet would be to force it back to the last known good version.