The security of the quintessential Android app store, Google Play Store, is once again questioned after it has been discovered that a very popular application with more than 100 million downloads contained malicious code. The application in the topic is called CamScanner app and, for a while, it was a legitimate application that allowed you to scan and store documents.
It is possible that you have ever installed it or that you have it right now on your smartphone since the app was advertised on many websites. The app was funded by ads and purchases within the application.
However, at one point, things changed. According to researchers at the antivirus provider Kaspersky Lab, the CamScanner app was updated to add an advertising library that contained a malicious module.
This component was what is known as a “Trojan dropper“, which means that it regularly downloaded encrypted code from a server designated by the developer. Then he decrypted it and ran it on infected devices.
The malicious module could download and execute what developers wanted at any time. The researchers claim that, in the past, they have seen this same malicious module in applications that were preinstalled on some phones sold in China.
“The functions of Trojan-Dropper.AndroidOS.Necro.n carry out the main task of malware: download and execute code from malicious servers,” explains Kaspersky Lab.
“As a result, those responsible for the module can use an infected device for their benefit in the way they deem appropriate, from showing intrusive advertising to the victim to stealing money from their mobile account by charging paid subscriptions.”
Some users had already been warning on Twitter that the CamScanner app was detected as a Trojan by antivirus, but the company responded by asking users to update their antivirus software (which was of no use because the alert still appeared).
Completely updated AV / security software. Scanned your new Google Play app. Still comes up as HEUR:Trojan-Dropper.AndroidOS.Necro.n — please address this directly.
— Tim Ackermann (@NTxIP) August 23, 2019
My antivirus is up to date and camscaner also up to date…but this problem are not solve… Daily notified by my antivirus when are scanning process…😞😑 pic.twitter.com/U4zSrKB8ZP
— Tanmoy Mondal (@thetanmoymondal) August 25, 2019
I loce camscanner but I also trust av software so, please confrim there is no risk of trojan and we can skip the alert. (All downloaded from google app, xiaomi mi max 3, not rooted)
— ömerilefaruk (@Kakalamtahu) August 24, 2019
As a result of the investigation, Google has immediately removed the Play Store app and, if you try to access it, you will get an application message not found.
The incident highlights the challenge facing Android users when they look for useful and safe applications. Google’s security mechanisms cannot detect everything, especially when developers enter malicious or unethical code into applications that have already passed initial inspections.
One way to detect malicious applications is to read the comments left by other users. Kaspersky Lab researchers said last month’s negative opinions “indicated the presence of unwanted features” in CamScanner.
We have contacted CamScanner to find out their point of view regarding these accusations and, as soon as we have an answer, we will update this article.
