Users of a barcode scanner app on the Google Play Store got a nasty surprise in December when it began generating adware on potentially millions of Android phones.
The free app, known simply as Barcode Scanner, comes from Lavabird, a little-known developer, but has been downloaded more than 10 million times from the Google Play Store.
On Dec. 4, the app rolled out an update to users’ smartphones with a shady function: the once-benign app was now capable of injecting annoying ads on users’ default mobile browsers, according to antivirus provider Malwarebytes. In response to consumer complaints, the company investigated the problems, and confirmed the presence of malicious code in the app.
The most alarming discovery is how Lavabird appears to have intentionally added the malicious code into the app itself, according to Malwarebytes.
“Furthermore, the added code used heavy obfuscation to avoid detection,” it added. “To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions.”
The malicious code activates within minutes after the update is installed. The smartphone’s browser will then automatically load a pop-up that poses as Google and recommends the user download a “Rocket Cleaner” app from the Play Store to keep their device free of viruses.
According to victims, the adware was infuriating, and would persist even after a factory reset. “It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect,” Malwarebytes added. “It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity?”
We’ve reached out to Lavabird, and will update the story if we hear back. Fortunately, uninstalling the Barcode Scanner app will remove the adware.
Google didn’t immediately respond to a request for comment. But the company has pulled Lavabird’s Barcode Scanner app from the digital store. It’s also been working to vet apps on Google Play for security threats. But somehow, the malicious update for Barcode Scanner got through.
To stay safe, it’s best to avoid downloading software from little-known developers. You should also remove apps you rarely use.