Google Play app with 100 million downloads executed secret payloads

[Karlston]

Google Play app with 100 million downloads executed secret payloads

The sad, impractical truth about Android app security in 2019.

Enlarge

NurPhoto | Getty Images

The perils of Google Play are once again on display with the discovery of an app with 100 million downloads that contained a malicious component that downloaded secret payloads onto infected Android devices.

 

Throughout most of its life, CamScanner was a legitimate app that provided useful functions for scanning and managing documents, researchers from antivirus provider Kaspersky Lab said on Tuesday. To make money, the developers displayed ads and offered in-app purchases.

 

Then, at some point things changed. The app was updated to add an advertising library that contained a malicious module. This component was what’s known as a “Trojan dropper,” meaning it regularly downloaded encrypted code from a developer-designated server at https://abc.abcdserver[.]com and then decrypted and executed it on infected devices. The module, which Kaspersky Lab researchers named Trojan-Dropper.AndroidOS.Necro.n, could download and execute whatever the developers wanted at any time. The researchers said that they have previously found Trojan-Dropper.AndroidOS.Necro.n lurking inside apps that are preinstalled on some phones sold in China.

 

“The above-described Trojan-Dropper.AndroidOS.Necro.n functions carry out the main task of the malware: to download and launch a payload from malicious servers,” a separate post from Kaspersky Lab explained. “As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.”

 

The incident underscores the challenge Android users face when looking for useful apps. Google scanners are unable to catch everything, particularly when developers sneak malicious or unethical code into apps that have already passed initial inspections. The result: there’s no easy way to be sure an app is safe. This reality is disappointing, because Google has made real strides in securing more recent versions of Android.

 

One way to vet apps is to read reviews left by other users. Kaspersky Lab researchers said that negative feedback left over the past month “indicated the presence of unwanted features” in CamScanner. And of course, people should always scrutinize the permissions an app requires. Access to the microphone, camera, contacts, location data, or the phone app can often be telltale signs something is wrong, but not always. Often apps need this access for legitimate reasons. CamScanner, for instance, would obviously need access to the camera to work as advertised. Seeking out apps from known developers, when possible, can often be helpful.

 

Ultimately, the best strategy is to install only the apps that are truly useful and to uninstall apps that haven’t been used in a while. The practicality and effectiveness of this guidance is by no means ideal, but that’s unfortunately the current state of security for Android apps.

 

 

 

Source: Google Play app with 100 million downloads executed secret payloads (Ars Technica)

[straycat19]

Interesting that the program this article is talking about, CamScanner - Phone PDF Creator by INTSIG, is similar to another program by the same developer that has been around for years called CamScanner HD Scanner,FAX.  I actually have this program on an old phone that I use as a mini tablet to keep junk off my actual phones.  That phone has an AV program on it and I scanned it with two other programs and nothing was found.  Find it a little unusual that one program from the developers was dropping malware when they have at least 7 others on the store that are still there and are apparently clean.  Maybe it wasn't the actual developers that put the malware in the program.  Who can say anymore without further investigation and evidence.

[plumpuding]

Malicious camscanner android app

 

Recent versions of this app contains a Trojan Dropper which had been reported by Kaspaersky and confirmed by Google and has since been banned from the Google Play store as a result.

camscanner removed of google play

Evidence Found here:

malicious camscanner android app

source: AdGuard forum

[TrojanK]

 

[mkc21]

true that, I can't find it wth??

[DKT27]

On 8/28/2019 at 2:57 PM, TrojanK said:

 

 

@plumpuding: Topics merged.

 

On 8/28/2019 at 12:16 PM, straycat19 said:

Interesting that the program this article is talking about, CamScanner - Phone PDF Creator by INTSIG, is similar to another program by the same developer that has been around for years called CamScanner HD Scanner,FAX.  I actually have this program on an old phone that I use as a mini tablet to keep junk off my actual phones.  That phone has an AV program on it and I scanned it with two other programs and nothing was found.  Find it a little unusual that one program from the developers was dropping malware when they have at least 7 others on the store that are still there and are apparently clean.  Maybe it wasn't the actual developers that put the malware in the program.  Who can say anymore without further investigation and evidence.

 

Ad library which the app uses was found with badware in it.