Researchers found a Trojan Dropper malicious module hidden within the Android app CamScanner downloaded over 100 million times by Google Play Store users.
The malicious component was found by Kaspersky security researchers Igor Golovin and Anton Kivva while taking a closer look at the insides of the CamScanner app following a deluge of negative reviews posted by users over the last few months,
As a confirmation to sudden increases in negative ratings and user reviews usually pointing out to something not exactly going right with an app, the researchers found “that the developer added an advertising library to it that contains a malicious dropper component.”
Similar modules pre-installed on low-cost devices
This is not the first time this type of malicious module was discovered on Android smartphones, with pre-installed versions having been found on over 100 low-cost Android devices in 2018 and more than two dozen device models in 2016.
In both cases, the malicious component was used by the threat actors to push ads to the infected devices, while the Android smartphones and tablets found to be compromised also installed unwanted apps behind the users’ back.
In this case, while CamScanner was initially a legitimate Android app using in-app purchases and ad-based monetization, “at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module,” says Kaspersky.
The module dubbed Trojan-Dropper.AndroidOS.Necro.n is a Trojan Dropper, a malware strain used to download and install a Trojan Downloader on already compromised Android devices which can be employed to infect the infected smartphones or tablets with other malware.
When the CamScanner app is launched on the Android device, the dropper decrypts and executes malicious code stored within a mutter.zip file discovered in the app’s resources.
“As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions,” found the researchers.
Google removed the app from the Play Store after Kaspersky’s researchers reported their findings but, as they also add, “it looks like app developers got rid of the malicious code with the latest update of CamScanner.”
“Keep in mind, though, that versions of the app vary for different devices, and some of them may still contain malicious code,” they conclude.
A full list of indicators of compromise (IOCs) including MD5 hashes of malware samples distributed by the attackers and command and control (C2) server domains used in this campaign is available at the end of Kaspersky’s report.
This is yet another incident affecting Play Store users in August, with researchers previously discovering a clicker Trojan bundled within over 33 apps distributed via Google’s official Android store and downloaded more than 100 million times.
Also, just last week, an Android app including the spyware capabilities of the open-source AhMyth Android RAT managed to circumvent Google Play Store’s automated malware protection twice over a period of two weeks as found by ESET researchers.