Malicious Android app had more than 100 million downloads in Google Play
Kaspersky researchers recently found malware in an app called CamScanner, a phone-based PDF creator that includes OCR (optical character recognition) and has more than 100 million downloads in Google Play. Various resources call the app by slightly different names such as CamScanner — Phone PDF Creator and CamScanner-Scanner to scan PDFs.
Official app stores such as Google Play are usually considered a safe haven for downloading software. Unfortunately, nothing is 100% safe, and from time to time malware distributors manage to sneak their apps into Google Play.
The problem is that even such a powerful company as Google can’t thoroughly check millions of apps. Keep in mind that most of the apps are updated regularly, so Google Play moderators’ jobs are never done.
CamScanner was actually a legitimate app, with no malicious intensions whatsoever, for quite some time. It used ads for monetization and even allowed in-app purchases. However, at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module.
Kaspersky products detect this module as Trojan-Dropper.AndroidOS.Necro.n, which we have observed in some apps preinstalled on Chinese smartphones. As the name suggests, the module is a Trojan Dropper. That means the module extracts and runs another malicious module from an encrypted file included in the app’s resources. This “dropped” malware, in turn, is a Trojan Downloader that downloads more malicious modules depending on what its creators are up to at the moment.
For example, an app with this malicious code may show intrusive ads and sign users up for paid subscriptions.
Some users of the CamScanner app have already spotted suspicious behavior and left reviews on the app’s Google Play page with warnings to avoid the app.
Kaspersky researchers examined a recent version of the app and found the malicious module there. We reported our findings to Google, and the app was promptly removed from Google Play.
It looks like app developers got rid of the malicious code with the latest update of CamScanner. Keep in mind, though, that versions of the app vary for different devices, and some of them may still contain malicious code.
What we can learn from this story is that any app — even one from an official store, even one with a good reputation, and even one with millions of positive reviews and a big, loyal user base —can turn into malware overnight. Every app is just one update away from a major change.