An Android PDF maker with more than 100 million downloads from the official Play Store has been caught silently installing malware on victims' phones.
Kaspersky's eggheads Igor Golovin and Anton Kivva claim CamScanner, an application that turns images into PDFs to share and edit, contains a library that quietly fetches and runs spyware and other software nasties. According to the pair on Tuesday, the trojan, known as Necro.n, was most likely snuck into the app under the guise of an advertising package.
Golovin and Kivva suggested the developers of CamScanner may not even be aware of the lurking nasty, though the duo say that the malicious code has been present and doing its thing long enough to draw a number of complaints in the reviews section of the Play store.
"After analyzing the app, we saw an advertising library in it that contains a malicious dropper component," the Kaspersky crew said.
"Previously, a similar module was often found in preinstalled malware on Chinese-made smartphones. It can be assumed that the reason why this malware was added was the app developers’ partnership with an unscrupulous advertiser."
Security gone in 600 seconds: Make-me-admin hole found in Lenovo Windows laptop crapware. Delete it nowREAD MORE
According to the malware hunters, the Necro.n trojan itself doesn't actually perform any malicious activity on its own, such as spying on users or harvesting device and contact information. Rather, it is simply acting as the downloader for other modules that will actually do the dirty work.
"The owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions," Kaspersky explained.
The Register has reached out to CamScanner's developer for comment, but has yet to hear back at the time of publication. The software has vanished from the Play Store.
This would not be the first time an Android application has been found to be secretly serving up malware to unsuspecting users. Previously, malware operators have used tricks ranging from dodgy advertisements to re-packaging legitimate apps with attack code in order to get past Google's security protections. ®