Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Android Security Software

Android Barcode Scanner With 10 Million+ Downloads Infects Users (arstechnica.com) 54

Posted by BeauHD from the one-update-is-all-it-takes dept.
An anonymous reader quotes a report from Ars Technica: A benign barcode scanner with more than 10 million downloads from Google Play has been caught receiving an upgrade that turned it to the dark side, prompting the search-and-advertising giant to remove it. Barcode Scanner, one of dozens of such apps available in the official Google app repository, began its life as a legitimate offering. Then in late December, researchers with security firm Malwarebytes began receiving messages from customers complaining that ads were opening out of nowhere on their default browser.

[Malwarebytes mobile malware researcher Nathan Collier] wrote: "No, in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions. Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR." Google removed the app after Collier privately notified the company. So far, however, Google has yet to use its Google Play Protect tool to remove the app from devices that had it installed. That means users will have to remove the app themselves.
This discussion has been archived. No new comments can be posted.

Android Barcode Scanner With 10 Million+ Downloads Infects Users More

Android Barcode Scanner With 10 Million+ Downloads Infects Users

Comments Filter:

  • Not so curated (Score:4, Insightful)

    by PingSpike ( 947548 ) on Tuesday February 09, 2021 @08:10AM (#61043520)
    Its a good thing users aren't downloading dangerous software from just any old place on the web and are instead getting trusted software from Google's official source where they know that Google engineers have closely checked the source for any malicious intent. And google can help keep your software up to date with the latest versions to assure the highest level of security!

    • I mean what's the point. If you have a Google device you almost certainly have Google Now / Cards / Search / Whateverthefuckitscallednow. Just hit the search bar, click the little image button, and point it at a barcode. Or just use your camera app, which these days also has this functionality.

      My current 4 year old phone out of the box in factory preset condition comes with 2 ways of scanning barcodes.

  • I used that very app for a long time as my barcode scanner because it would scan barcodes and QR codes. But why didn't Android's camera app do that? So weak.

    • I wondered this for a long time too. Turns out its because Google effectively abandoned (because of course they fucking did) the stock android camera app a long time ago. They shifted all of their support to the Pixel specific camera app which of course only works on Pixel phones. So everyone else is left out in the cold to either use a camera app from the 2000's or if they are big enough life Samsung, to just develop their own. This leads people to downloading dedicated apps to gain functionality that you

      • You're thinking to specific. The reality is the plain simple "Google" app that is already on every phone has the lens functionality embedded too, the lens button is on the search bar within the app. And when Google abandoned the default camera all the other camera apps too them to task. The Samsung Camera for example also scans barcodes.

    • > I used that very app for a long time as my barcode scanner because it would scan barcodes and QR codes

      Try NeoReader. Its wifi connector even works reliably on most flavors of Android.

    • But why didn't Android's camera app do that? So weak.

      It does. On top of that, Google's Search app on the phone does it too. There are literally already 2 barcode scanner apps on most phones.

      • But why didn't Android's camera app do that? So weak.

        It does.

        It didn't for years.

        • Not sure which years you're talking about but my 4 year old phone, and my girlfriend's 4 month old phone both do. I think you'll find most consumers aren't carrying around a relic. And again, the Google search app integrated this function too so even if it wasn't part of the camera it's still irrelevant.

  • Heavy obfuscation? (Score:5, Funny)

    by BeneathTheVeil ( 305107 ) on Tuesday February 09, 2021 @08:15AM (#61043528) Journal

    Sounds like my 6am code.

  • not exactly a "walled" garden (Score:5, Insightful)

    by v1 ( 525388 ) on Tuesday February 09, 2021 @08:15AM (#61043530) Homepage Journal

    but there's definitely a tiger on the loose in the garden, and it seems that Google is OK with that??

    What's the point of their Protect tool if they don't use it when the exact reason it exists comes up?

    • This is exactly why I turned play protect off when I was using google play (I'm not now.) It's seemingly never used to protect users, which means its only use cases must be nefarious.

    • Well, the original walled garden had a pretty sneaky talking snake in it, so I suppose none of this should come as a huge surprise.

    • Because the people who care use f-droid anyway.

  • Be it in OSes, Android or anything. I try to keep abreast of vulnerabilities and update piecemeal when I need to. But automatic updates? I don't think so: all it takes is one well-intentioned dev who decided to rewrite the whole UI I know and like to the latest fad, one regression or - like in this case - one sellout to the dark side to ruin my day.

    I validate what I use and then I stick with it unless there's a good reason not to. I'll never understand why people choose to relinquish control of their entire machine blindly to third-parties with automatic updates. It's mind-boggling to me.

    • Because many times those updates are done to plug a security hole or serious bug in the app, which is something that I personally want as soon as possible.

    • Re: (Score:2)

      by bws111 ( 1216812 )

      It's mind-boggling? Really? You can't understand that the vast majority of people have better/more interesting things to do than 'keep abreast of vulnerabilities'?

      • > You can't understand that the vast majority of people have better/more interesting things to do than 'keep abreast of vulnerabilities'?

        At my old job I maintained a database of every CVE (vulnerability) that existed. At my current job, I have to analyze the 80 or so vulnerabilities discovered and patched in Microsoft products each month, along with Cisco, Palo Alto and a few others. It's my job to decide which ones have to be rolled out TODAY, which ones need to be done this week, and which can be incl

    • Re:That's why I don't upgrade when I don't need to (Score:5, Insightful)

      by Ichijo ( 607641 ) on Tuesday February 09, 2021 @10:23AM (#61043944) Journal

      Just give me fine control over automatic updates:

      1. Security flaws only.
      2. Also bug fixes. No new features.
      3. Also minor version upgrades. New features are allowed but no breaking changes.
      4. Also major version upgrades, including any breaking changes.

      #1 and #2 are PATCH level changes under Semantic Versioning [semver.org] and might get mixed together but I think that's fine.

      • Re: (Score:2)

        by Alumoi ( 1321661 )

        And then every freaking update will be marked as 1 or 2.
        After all, NOT uploading every piece of info to the mothership is a security flaw/bug.

      • Uah 4 options? Too complicated.

        - Sincerely, the 1 billion other phone users who think you, like, clearly don't get it.

  • Giant meteor please (Score:5, Informative)

    by mvdwege ( 243851 ) <mvdwege@mail.com> on Tuesday February 09, 2021 @09:12AM (#61043684) Homepage Journal

    Goddamn it people are stupid. Google pulled the malware app, and now people are flooding the reviews of another Barcode Scanner app (with the same name) with one star reviews claiming that is the malware. I had to doublecheck with the Ars article to find out that Barcode Scanner from ZXing Team [google.com] installed on my phone was not the afflicted app.

    Give me a giant meteor impact. Surely the cockroaches can't be worse than us once they've evolved after that.

    • Re:Giant meteor please (Score:4, Insightful)

      by Tx ( 96709 ) on Tuesday February 09, 2021 @09:48AM (#61043814) Journal

      Well, it doesn't help that TFA (both here and on Ars) seem to lack some simple details that would make it easy to see which app we're talking about, such as the developer name. How many people know how to find the MD5 hash of an app, or the underlying package name?

      • Re: (Score:2)

        by mvdwege ( 243851 )

        Erm, the Ars article specifically calls out the ZXing Barcode Scanner app as safe, not the malware app. I explicitly mentioned that, even.

      • Re: (Score:2)

        by klui ( 457783 )

        Yeah not identifying the dev name was a mistake.

        archive.org shows app name is "Barcode Scanner," dev name was also "Barcode Scanner." The problem is the cache doesn't show 10 million+ users.

    • Thank you for actually giving that name. I have the ZXing Team one installed too and I was wondering.

  • Malwarebytes on Android told me about this weeks ago and I removed it,
  • This shit happened to my phone. I went nuts uninstalling app after app until i reached the barcode one. fucking drove me insane with the dam pop ups.
  • I look for open source apps. It can still happen but open source you can look at the code. And if you are really paranoid, build it your self.

    • Open source stuff gets trojans and malware too, usually during packaging. While good documentation of build environments makes it easier for multiple people to produce identical binaries, it's still not a universal property of open source projects. Open Source does give you a lot of free auditing from third parties (e.g. users), but OSS is not a panacea for stopping malware.

  • doesn't flag the Google App Store as having an unpatched security vulnerability? How many malicious apps does it take before somebody from Google P0 takes a look at the demonstrably broken review process?

  • What possible disincentive is there from the malignant dev's point of view? None.
    He sells some ads, makes some $, gets shut down.

    Uses that money to buy some app from some other starving developer, does the same thing.
    There's zero practical possibility to filter his work out of the store pre-emptively.

    I'm asking seriously.

    Until someone rolls around his place late one night and breaks a kneecap or two, why would he POSSIBLY stop?

  • Naturally, rather than make the app un-downloadable in the app store but leaving it there so people can easily figure out that they have malware or uninstalling it and suggesting alternatives, Google just poofed it leaving no evidence it was ever there.

    Best yet would be to force it back to the last known good version.

Slashdot Top Deals

The truth of a proposition has nothing to do with its credibility. And vice versa.

Close