“It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect,” Collier wrote. “It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity?”Collier said that adware is often the result of third-party software development kits, which developers use to monetize apps available for free. Some SDKs, unbeknownst to developers, end up pushing the limits. As Collier was able to establish from the code itself and a digital certificate that digitally signed it, the malicious behavior was the result of changes made by the developer.
Unfortunately, none of these methods work on the Mate 30 Pro. They rely on either an unlocked bootloader, which allows users to flash Google apps to the normally read-only system partition, or on "stub apps" left in the system partition by the device manufacturer specifically for the Google apps, so sideloaded versions can get the system-level permissions they need to work.
The researcher wrote:
No, in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions. Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.
Google removed the app after Collier privately notified the company. So far, however, Google has yet to use its Google Play Protect tool to remove the app from devices that had it installed. That means users will have to remove the app themselves.Google representatives declined to say if the Protect feature did or didn’t remove the malicious barcode scanner. Ars also emailed the developer of the app to seek comment for this post but so far hasn’t received a response.Anyone who has a barcode scanner installed on an Android device should inspect it to see if it’s the one Collier identified. The MD5 hash digest is A922F91BAF324FA07B3C40846EBBFE30, and the package name is com.qrcodescanner.barcodescanner. The malicious barcode scanner shouldn't be confused with the one here or other apps with the same name.
The usual advice about Android apps applies here. People should install the apps only when they provide true benefit and then only after reading user reviews and permissions required. People who haven’t used an installed app in more than six months should also strongly consider removing it. Unfortunately, in this case, following this advice would fail to have protected many Barcode Scanner users.It’s also not a bad idea to use a malware scanner from a reputable company. The Malwarebytes app provides app scanning for free. Running it once or twice a month is a good idea for many users.
This story originally appeared on Ars Technica.
- 📩 The latest on tech, science, and more: Get our newsletters !
- 2034, Part I: Peril in the South China Sea
- Everyone on Twitter needs an etiquette manual
- The secret, essential geography of the office
- Biden wants the government to run on EVs. It won’t be easy
- Stunning images of starlings in flight
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- 💻 Upgrade your work game with our Gear team’s favorite laptops , keyboards , typing alternatives , and noise-canceling headphones