CamScanner, a phone PDF creator app, has been found containing a malicious dropper component.
Igor Golovin and Anton Kivva, researchers at Kaspersky Labs, analysed the app after it had started to receive negative user reviews over the past month. It was discovered that the popular app had contained a malicious component known as “Trojan-Dropper.AndroidOS.Necro.n”.
“It can be assumed that the reason why this malware was added was the app developers’ partnership with an unscrupulous advertiser,” the researchers explained.
When CamScanner is run, the dropper is designed to download and launch a malicious payload from malicious servers. The dropper decrypts and executes the malicious code contained in the mutter.zip file in the app resources.
Subsequently, attackers can use an infected device to show victims intrusive advertising to steal money from their mobile accounts by charging paid subscriptions.
Once reporting to Google about the findings, the app was removed from Google Play, however as the app versions differs with devices, it is recommended that all users uninstall the app.
This isn’t the first time a malicious app has slipped past Google Play Store’s app scanning process. It war revealed by CheckPoint last month that a new malware connected to the Agent Smith campaign had been found on 11 apps in the Google Play store, which resulted in 11 million downloads.
Additionally, a new clicker Trojan was identified in 33 apps on Google Play which resulted in over 100 million downloads.
“The problem is that even such a powerful company as Google can’t thoroughly check millions of apps,” Kaspersky wrote in a blog post.
“CamScanner was actually a legitimate app, with no malicious intentions whatsoever, for quite some time. It used ads for monetization and even allowed in-app purchases. However, at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.