Camscanner was just another OCR-based (optical character recognition) PDF creator app for Android that, over time, got quite popular.
Before Google pulled it from the Play Store Camscanner amassed more than 100 million downloads. In fact, its Google Play listing boasts about more than 380 million installs. But then, problems have arisen.
It seems that the app, in one of its recent updates, updated its advertising library with a malicious module. Before that happened Camscanner was a legitimate, harmless app. It offered free and paid versions, the first one supported by ads like so many other free apps. The paid app was available as an in-app purchase after which users wouldn’t receive ads anymore.
Kaspersky Labs suspected it first
But, according to Kaspersky Labs, a recent update infected Camscanner’s ad library.
The malicious module was identified as a Trojan Dropper. The term means that the module is used to extract and decrypt an encrypted file located in the app’s resource library.
The extracted file is then able to download more malicious content that is able to do all kinds of shady stuff. For instance, as noted by Kaspersky “an app with this malicious code may show intrusive ads and sign users up for paid subscriptions.”
It is a Trojan Dropper
The trojan dropper in question was identified as Trojan-Dropper.AndroidOS.Necro.n.
What’s interesting is that a similar trojan dropper came as a part of preinstalled malware found in many Chinese-made phones. It’s worth mentioning that the developers of the app aren’t responsible for adding the trojan dropper into their app.
The malicious code was added by a third-party advertiser that had an advertising agreement with the developers.
Kaspersky Labs reported about Camscanner’s malicious code to Google and the app was removed from Google Play soon after.
Developers then removed the malicious code from the app and updated it for current users but the app still isn’t available on the Play Store. Also, since the Google Play store allows users to turn off automatic app updates, some devices may still have infected versions of the app.
What’s interesting is that the app caught Kaspersky Lab’s eye because of a massive influx of negative reviews in the past month.
Users reported shady actions and “the presence of unwanted features.” And this is the sad truth about the Android ecosystem. Even though Google scans millions of apps before they get approved there are still malicious ones that fly under the radar.
And even when an app is extremely popular, with a huge user base and excellent reputation, one update can ruin it all.
So, before you download the next app from the Play Store, check out its reviews, they seem like the best indication that something could be wrong. And delete apps you don’t use on a regular basis – even if they are harmless at the moment, things can go south in a second after just one update.