Malware found in CamScanner’s document scanning Android app, which has over 100M downloads

Malware found in CamScanner’s document scanning Android app, which has over 100M downloads
Credit: CamScanner

Another day, another instance of Android malware found on the Google Play app store.

Researchers from Kaspersky Lab said they found an app with 100 million downloads that housed a malicious module that then pushed ads or downloaded apps surreptitiously onto compromised Android devices.

The malicious component was found by the researchers after they were alerted to ‘suspicious behavior’ in the free version of the popular document scanning app CamScanner following a rash of negative reviews left by users to avoid using the app.

“CamScanner was actually a legitimate app, with no malicious intensions whatsoever, for quite some time,” Kaspersky noted. “It used ads for monetization and even allowed in-app purchases. However, at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module.”

This module — identified as Trojan-Dropper.AndroidOS.Necro.n — is a trojan dropper, meaning it can extract and run a second malicious component accommodated within the app. This trojan downloader can be leveraged to infect the devices with other kinds of malware.

Kaspersky researchers found that when CamScanner is run, the dropper decrypted and executed malicious code contained in a “mutter.zip” file present in the app, before downloading encrypted code from a command-and-control server “https://abc.abcdserver[.]com.”

“The above-described Trojan-Dropper.AndroidOS.Necro.n functions carry out the main task of the malware: to download and launch a payload from malicious servers,” the researchers said. “As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.”

Google took down the app listing (CamScanner – Phone PDF Creator) from the Play Store after Kaspersky reporting their findings, but the researchers noted that the app developers have removed the malicious code in their latest update.

The latest instance of malware uderscores the continued challenge faced by Google to rid the platform of sketchy Android software.

The issues have also been compounded by what appears to a larger problem plaguing the Play Store: bad actors can mask their true intention by obfuscating malicious code behind encryption barriers that make it easy to bypass Google’s app vetting process.

Although the Mountain View behemoth’s antivirus efforts have resulted in the removal of hundreds of thousands of harmful apps, the security layer has not been entirely bulletproof to offer protection from all sorts of malware.

If you’ve been using CamScanner, it’s best to delete the app (or swap it for a paid version) and consider switching to first-party alternatives like Microsoft OneNote, Google Drive, or Apple Notes.

While sticking to Play Store is still the safest way to download apps, be sure to check their permissions, reviews, and install them only if it’s absolutely essential for your day-to-day needs. As the researchers caution, malware might just be one app update away.

Update on Aug. 31, 2019 9:00 AM: CamScanner’s developer has put out a statement laying the blame on an advertisement SDK provided by a third-party named AdHub which contained a malicious module that produces unauthorized advertising clicks. “We have removed all the ads SDKs not certified by Google Play and a new version would be released,” the developer said.

Read next: Calendar spam is a thing now, here's how to protect yourself