Android App Update Hijacks Millions of Devices

Philip BaderVulnerabilitiesLeave a Comment

Users of a popular Android app with more than 10 million downloads discovered recently that the previously trustworthy app had become a delivery platform for fraudulent ads. Malwarebytes posted recently about their analysis of forum patron complaints relating to the Barcode Scanner app created by LavaBird LTD and until recently available on Google Play.

The Barcode Scanner app billed itself as “a powerful QR code reader and barcode generator that supports all major barcode formats.” It had more than 70,000 reviews and a 4+ star rating. And for the last several years, the app did exactly what it promised. But that changed when the mobile app received its most recent update.

A Good App Gone Bad

The problem, according to Malwarebytes, began when users on their blog forum started reporting the unexpected appearance of advertisements on their Android devices. The ads opened automatically in their device’s default web browser. These users noted that they had not recently downloaded any software and that all their apps came from the Google Play store.

The advertisements were later traced to the Barcode Scanner app, and specifically to the most recent application update posted on or around December 4, 2020. Prior to the update, some users of the app had it installed on their devices without problems for several years. Google subsequently removed the app from Google Play. But anyone who previously downloaded the Barcode Scanner app will need to remove it manually from their phone.

Legitimate In-App Ads

Advertisements are included in most free mobile apps. The inclusion of ads helps developers distribute these apps without charge while providing an important source of revenue. In most cases, in-app ads can be avoided by purchasing a premium version instead of using the free version.

The advertising component, as Malwarebytes pointed out, often comes from a third-party advertising software development kit, or SDK, which is appended to the mobile app’s code. Most of the time, these ads appear normally within a free app. But occasionally, changes to the SDK can result in more persistent advertising without the developer’s knowledge.

Developer-Led ‘Malvertising’

In the case of LavaBird’s Barcode Scanner app, Malwarebytes points out that code had been added specifically to the recent update that was not present in previous versions. This code, designated by Malwarebytes as Android/Trojan.HiddenAds.AdQR, was responsible for generating ads outside of the mobile app.

What’s more, that malicious code was written in a way that indicated the coders were making every effort to keep it from being detected by Google Play Protect, a security suite that scans apps for security vulnerabilities. Malwarebytes researchers determined that the malicious code came from the app developer because the digital certificates on previously clean versions and the recent update were the same.

An Increasingly Dangerous Mobile Landscape

In its Mobile Threat Report from 2020, antivirus software maker McAfee noted an increase in malware infections by apps that you might not even know you have. These hidden apps, which generate revenue largely by fraudulent advertising, often get distributed not through Google Play but as links in YouTube videos or search results for free mobile apps.

LeifAccess, also known as Shopper, is one example of this hidden threat. Once it infects an Android device, LeifAccess can take control of sign-on and accessibility services to create accounts, download apps from Google Play, and post fake reviews to boost legitimacy of other fraudulent apps. And LeifAccess has no app icon or any other indication that it resides on a user’s device.

Make Sure Your Mobile Device is Secure

It’s important to remember that your smartphone is in fact a powerful computer. It deserves the same attention to cybersecurity as your laptop or desktop computer. Some general good hygiene practices include removing unused or infrequently used apps, making sure you know what data your apps collect, when that is possible, and configuring your security settings appropriately.

Mobile devices of all kinds face increasingly sophisticated cybersecurity threats. Malware that floods your device with unwanted ads is annoying, but malicious apps can do so much more to endanger your security. Banking trojans can self-perpetuate through SMS messages, collect contacts, see which apps you have installed, and harvest files connected to financial transactions.

Having a strategy to protect your personal data requires some careful planning and the flexibility to react to new and emerging threats. SecureData has driven innovation in hardware-encrypted secure data storage, data recovery services, remote drive management, and endpoint protection. We build the products that keep your data safe.

Call us at 1-800-520-1677 to speak to one of our experts about how to create and implement an effective data security plan.