Android barcode scanner app has pushed malware into millions

A popular app was removed from Google Play after it was discovered that it had delivered trojanized malware to millions of users. phones via an update.

Until recently, Barcode Scanner was a simple app that provided users with a basic QR code reader and barcode generator, useful for things as make purchases and use discounts. The app, which has been around since at least 2017, is owned by developer Lavabird Ldt., And claims to have over 10 million downloads, the Wayback Machine watch.

However, a wave of malicious activity has recently been attributed to the app. Users started noticing something weird with their phones: Their default browsers kept getting hijacked and redirected to random ads, seemingly out of nowhere. For a number of people, it was unclear what caused the disruption, as many had not recently downloaded any apps. After enough irritated victims wrote about their experiences on a web forum, one user finally pointed out Barcode.

Malwarebytes researchers have verified that the scanner is the culprit, releasing a new report it shows it delivered the ad-producing malware to users’ phones, presumably through a December update. The update spoiled the previously benign application, turning it from an “innocent scanner to malware,” the researchers write.

Researchers distinguish malware pushing Barcode ads from ad SDK: programs used by editors to run in-app advertising for monetization purposes – claiming “it wasn’t” with Barcode Scanner. Anyone who injected the malicious code used heavy cover-up to hide the fact that it was there, the researchers say, adding that the app appears to have been intentionally transformed from a normal app to a malicious one via the update. They write:

It’s scary that with an update an app could become malicious while still going under the radar of Google Play Protect. It’s baffling to me that an app developer with a popular app turns it into malware. Was it the pattern all along, to have an app dormant, waiting to hit after it reached popularity? I guess we’ll never know.

While Google has removed Barcode Scanner from its App Store, it did not leave the affected devices. Users of the app will still need to manually uninstall it from their phone.

The owner of Barcode Scanner, Lavabird Ltd., was incorporated in 2020 and is registered at an address in London, according to available online recordings. The director of the company, Dmytro Kizema, resides in Ukraine.

Gizmodo has contacted Lavabird and will update if we have any news.