Barcode scan app amassed millions of downloads before weird update starting popping open webpages...

Android software kicked out of Google Play Store, may still be active on many handhelds

Updated Barcode Scanner, a popular Android app, slipped undesirable code into an update in early December, an update that had the potential to reach more than 10m devices though actual distribution is believed to be far less.

Several weeks later, Google removed the app from Google Play. Those who downloaded the software and accepted the update may still have on their mobile devices the problematic code, which appears to open the browser and visits websites all by itself.

Barcode Scanner, distributed by a London-based company called LavaBird, received an update on December 4, 2020, that appears to have introduced the code in question, according to Nathan Collier, a security researcher at Malwarebytes. LavaBird's now-banished Android app shouldn't be confused with ZXing Team's Barcode Scanner that remains in the Play Store.

LavaBird did not immediately respond to a request for comment.

Collier said in a blog post that this was not a case of a third-party SDK within the app going weird: it was a deliberate change. "Furthermore, the added code used heavy obfuscation to avoid detection," he noted.

Collier also noted that the code-signing certificate for known clean versions of the code matched the altered version.

View of a city with location tags

Oops: Google admits failing to wipe all Android apps with location-selling X-Mode SDK from its Play Store


After the update was pushed out, it took about three weeks before people's complaints drew attention to Barcode Scanner, at which point Malwarebytes began to block it. The software, which opens users' browsers, redirects them to unwanted websites, and prompts further software installation, has been dubbed Android/Trojan.HiddenAds.AdQR.

The Register asked Google to confirm when it removed Barcode Scanner and whether it has taken, or plans to take, any action to remove subverted versions of Barcode Scanner on Android users' devices. Google's app defense mechanism, Google Play Protect, has the ability to issue notifications about apps, to disable them, and to remove them automatically. We've not heard back from Google about how it responded.

Collier, via a spokesperson for Malwarebytes, said the antivirus biz could not confirm when Google removed the app but it was after he posted about it on the Malwarebytes forum on December 24, 2020. He said he's not sure how many people actually installed the update, and added that Google Play Protect has not removed the app from Android devices.

Switching up barcode scanning apps appears to be popular. In June last year, security biz TrendMicro reported finding two adware-laden barcode reading apps in Google Play, with 2m downloads between them. The outfit also identified 51 other apps that exhibited the same adware behavior. ®

Updated to add

After this story was filed, LavaBird wrote to us to say the company had sold Barcode Scanner to a third-party, and the malicious code was added by the buyer while the app was still associated with LavaBird’s Google Play account.

“The update that we published from our account was made by the buyer to verify the key and password from the application,” the company said. “The buyer was given access to the Google Play console of this application and he updated it himself. After that in a week, we transferred an application to buyer Google Play account – it was the 7th of December.”

MalwareBytes subsequently concluded that LavaBird was not to blame but was the victim of a social-engineering attack through which a malicious third-party takes over a popular app.

“Ultimately, I believe LavaBird’s claims,” wrote Collier in a follow-up post.

“Unfortunately, LavaBird came in our cross-hairs after firing off a blog about this malicious Barcode Scanner. As the evidence shows, we were in right in doing so. Regardless, now knowing the full story we apologize it led to this. We write this in hopes of clearing LavaBrid’s name.”

Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022