Malicious Update Turns Popular Barcode Scanner App into Malware

The popular Android app Barcode Scanner, used by over 10,000,000 people to scan and generate QR and barcodes, unexpectedly became malicious after an update on December 4, 2020. Security experts from Malwarebytes and many users noticed alarming changes. They reported that after the update, Barcode Scanner began to secretly launch the default browser (without any user interaction), which then displayed ads for other potentially harmful apps.

“Advertising SDKs can come from various third-party companies and provide a source of income for app developers. It’s a win-win situation for everyone. Users get a free app, and both app developers and ad SDK developers make money. But from time to time, companies behind ad SDKs may change something on their end, and the ads can become aggressive,” the experts wrote.

However, this was not the case with Barcode Scanner—the blame does not lie with third-party ad SDK developers. According to researchers, the malicious code was signed with the same certificate as previous “clean” versions of the app and was carefully hidden to avoid detection.

When researchers reported the issue to Google engineers, action was taken quickly: the app was already removed from the Google Play Store. However, users will have to manually remove the malware from affected devices themselves.