A hugely popular Android app in the Google Play Store has been infecting millions of Android smartphone and tablet users with potentially malicious advertising. The Barcode Scanner app, developed by Lavabird Ltd, has more than ten million downloads via the Play Store and it’s been recently discovered that an update to the app has put millions of users at risk of malicious attacks including the hijacking of sensitive user data.
Lavabird’s Barcode Scanner app has been incredibly popular in recent years, giving mobile users a chance to transform their smartphone or tablet cameras into barcode or QR scanners for products, enabling them to find the most competitive price for goods. However, Malwarebytes discovered that an update to the app in December 2020 resulted in the app launching malicious adverts unexpectedly on users’ devices, even when they had not interacted with the app.
The issue of malvertising is plaguing the digital ecosystem at present. It has become a huge source of revenue for cyber-criminals and fraudsters lurking online. These malicious online ads are programmed to pop up and execute harmful code, often unwittingly through a publisher’s page or app. Although a publisher may not be aware this is happening, the onus is increasingly on content providers to ensure they safeguard their users from the threat of malvertising, simultaneously protecting their reputation and integrity too.
This particular piece of malware in the Barcode Scanner app was detected hidden deep within a software update of December 2020. Malwarebytes confirmed it discovered a trojan titled Android/Trojan.HiddenAds.AdQR, which was devised to circumvent Google’s security guidelines. The app update was manipulated to enable it to distribute malvertising without users being warned. The update had also been given the same security certificate as other previous updates to the Barcode Scanner app.
Of course, there are lots of app developers that knowingly accept ads via their chosen software development kit (SDK) to enable them to provide apps that can be downloaded for free. And even though some ads can become rather more aggressive in their placement, this form of malvertising was on another level in terms of its concealment and malicious nature.
Premium, paid-for apps do not tend to have SDKs included into the app’s code. That’s because paid-for apps rarely allow advertising to be pushed out to their users. What this does suggest is that the SDK in question for Barcode Scanner is at fault for allowing a malicious package to be incorporated into the software. It’s equally disconcerting that this kind of malicious behavior can occur undetected by Google’s Play Protect division, which was established for this precise reason to pinpoint and remove apps that put the safety of users at risk.
Once the issue of the Barcode Scanner app was made aware to Google, it was promptly removed from the Play Store for download, but that doesn’t solve the issue fully. There will be hundreds of thousands, if not millions, of users that still have the Barcode Scanner app installed on their mobile device. It’s important to raise awareness of these apps to help thwart fraudsters in their tracks, preventing them from doing any further damage.