Kaspersky Lab researchers said they found malware in CamScanner, an app that has 100 million downloads in the Google Play Store, according to reports.
The computer security company said the malware pushes ads and downloads things without a user’s permission. The issue affects Android devices.
The researchers said they became aware of the problem after they heard about suspicious behavior from the app, following a deluge of bad reviews for it.
“CamScanner was actually a legitimate app, with no malicious intentions whatsoever, for quite some time,” Kaspersky noted. “It used ads for monetization and even allowed in-app purchases. However, at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module.”
The malicious module is a trojan dropper, which means it will extract and run a secondary component inside the app. This particular one is called Trojan-Dropper.AndroidOS.Necro.n, and it can be used to further infect a user’s device.
“The above-described Trojan-Dropper.AndroidOS.Necro.n functions carry out the main task of the malware: to download and launch a payload from malicious servers,” the researchers said. “As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.”
Google removed the app listing after the news of the malware was reported, but Kaspersky said the latest CamScanner update removed the malicious code. The issue illustrates the problem that Google has policing apps in the Play Store.
Many app developers who want to hide malware inside of apps can put the bad code behind encryption barriers so that Google won’t see it when vetting the app.
Google has removed hundreds of thousands of harmful apps, but it seems that some bad ones still slip through the cracks.