Barcode scan app amassed millions of downloads before weird update starting popping open webpages...

Updated Barcode Scanner, a popular Android app, slipped undesirable code into an update in early December, an update that had the potential to reach more than 10m devices though actual distribution is believed to be far less.

Several weeks later, Google removed the app from Google Play. Those who downloaded the software and accepted the update may still have on their mobile devices the problematic code, which appears to open the browser and visits websites all by itself.

Barcode Scanner, distributed by a London-based company called LavaBird, received an update on December 4, 2020, that appears to have introduced the code in question, according to Nathan Collier, a security researcher at Malwarebytes. LavaBird's now-banished Android app shouldn't be confused with ZXing Team's Barcode Scanner that remains in the Play Store.

LavaBird did not immediately respond to a request for comment.

Collier said in a blog post that this was not a case of a third-party SDK within the app going weird: it was a deliberate change. "Furthermore, the added code used heavy obfuscation to avoid detection," he noted.

Collier also noted that the code-signing certificate for known clean versions of the code matched the altered version.

After the update was pushed out, it took about three weeks before people's complaints drew attention to Barcode Scanner, at which point Malwarebytes began to block it. The software, which opens users' browsers, redirects them to unwanted websites, and prompts further software installation, has been dubbed Android/Trojan.HiddenAds.AdQR.

The Register asked Google to confirm when it removed Barcode Scanner and whether it has taken, or plans to take, any action to remove subverted versions of Barcode Scanner on Android users' devices. Google's app defense mechanism, Google Play Protect, has the ability to issue notifications about apps, to disable them, and to remove them automatically. We've not heard back from Google about how it responded.

Collier, via a spokesperson for Malwarebytes, said the antivirus biz could not confirm when Google removed the app but it was after he posted about it on the Malwarebytes forum on December 24, 2020. He said he's not sure how many people actually installed the update, and added that Google Play Protect has not removed the app from Android devices.

Switching up barcode scanning apps appears to be popular. In June last year, security biz TrendMicro reported finding two adware-laden barcode reading apps in Google Play, with 2m downloads between them. The outfit also identified 51 other apps that exhibited the same adware behavior. ®

Updated to add

After this story was filed, LavaBird wrote to us to say the company had sold Barcode Scanner to a third-party, and the malicious code was added by the buyer while the app was still associated with LavaBird’s Google Play account.

“The update that we published from our account was made by the buyer to verify the key and password from the application,” the company said. “The buyer was given access to the Google Play console of this application and he updated it himself. After that in a week, we transferred an application to buyer Google Play account – it was the 7th of December.”

MalwareBytes subsequently concluded that LavaBird was not to blame but was the victim of a social-engineering attack through which a malicious third-party takes over a popular app.

“Ultimately, I believe LavaBird’s claims,” wrote Collier in a follow-up post.

“Unfortunately, LavaBird came in our cross-hairs after firing off a blog about this malicious Barcode Scanner. As the evidence shows, we were in right in doing so. Regardless, now knowing the full story we apologize it led to this. We write this in hopes of clearing LavaBrid’s name.”