#Check Your Phone Now – Review Geek

Last week we reported that Google had removed a popular Chrome extension because new owners turned it into a malware app. In a disturbingly common repeat, pretty much the same thing has happened with a popular Android app, which was downloaded millions of times on the Play Store. Out of nowhere it started serving malicious ads, and now it’s gone.

Malwarebytes documents how its forum users started reported seeing odd pop-up advertisements and website redirects in their mobile browsers a little more than a month ago. After some snooping by the service’s staff, it was determined that a December 4th update to “Barcode Scanner” by Lavabird LTD had started shoving ads for unnecessary (and possibly fraudulent) security servers to its millions of users.

Malwarebytes alerted Google and the listing for the app has been removed from the Play Store, but reportedly, it has not been remotely uninstalled from affected users’ phones (as was the case with the Chrome extension). Presumably, the app slipped by the Play Store’s normally robust suite of protections, Google Play Protect, by installing the malicious code as an innocuous update instead of starting as a phony app: it had been used harmlessly for years before the update.

It isn’t clear what prompted the change. In the case of The Great Suspender extension, it was obviously new owners of the service that steered it down a bad road. For Barcode Scanner, there was no obvious change in ownership or developer behavior that turned the app malicious. If you’re wondering which specific canner app it is, it was formerly at https://play.google.com/store/apps/details?id=com.qrcodescanner.barcodescanner. Oddly, the developer of that app is still active on the Play Store, with a similar app (not updated since August) still live. It’s listed with an identical icon, and the (possibly deliberate?) misspelling of “barcod scanner.” Its developer info lists Maharashtra, India as the location, with a generic Gmail address and a blank web page. Previous versions of the app, apparently under the same developer account, showed an innocuous WordPress page as its website.

Out of curiosity, I installed the alternate version of the app. It lists a privacy policy on that WordPress page that has a fairly rote disclaimer about serving up ads within the app itself, a standard and acceptable practice. I didn’t immediately see the browser hijacking behavior described in Malwarebytes’ blog post. Whatever went wrong with the other app, it doesn’t seem to be happening to the duplicate, though it isn’t clear why Google didn’t simply nuke all of the developer’s listings.

Google’s efforts to keep Android and Chrome “clean” have been generally sterling thus far, despite their inherent vulnerability as open platforms. But scurrilous actors can be ingenious in their efforts to circumvent security, and it seems like updates to long-trusted applications has become something of a blind spot. Google needs to do better to protect its users across all platforms.

Source: Malwarebytes