Android Google Play app with 100 million downloads starts to deliver malware

CamScanner, an Android app that has been available since 2010, has recently started installing malware.
Written by Liam Tung, Contributing Writer

Google has removed the hugely popular CamScanner PDF creator Android app from the Google Play Store after learning that it recently started delivering malware. 

The CamScanner app, which is published by Shanghai-based CC Intelligence, has been downloaded over 100 million times from the Google Play store since it was first made available in 2010. 

The company specializes in optical character recognition (OCR). Beyond its CamScanner app with OCR text-reading functionality, it sells apps that capture text from business cards, including CamCard and CamCard for Salesforce. 

SEE: 10 tips for new cybersecurity pros (free PDF)

The company has relied on ads and in-app purchases to earn revenue from CamScanner. However, according to researchers at Russian antivirus firm Kaspersky, recent versions of the app included a new advertising library that contained a Trojan designed to deliver malware to Android devices. 

Kaspersky notes that the "malicious code may show intrusive ads and sign users up for paid subscriptions." Intrusive ads are pesky, but no consumer wants to pay for subscriptions they never signed up for. 

The so-called trojan dropper is configured to connect to the attackers' servers, download additional code, and then execute that code on Android devices with the app installed.   

The app is currently unavailable in the Google Play store, which is the safest place to install Android apps, but its corresponding iOS version is still available on Apple's App Store. 

The incident looks more like a case of developers accidentally using a malicious ad library, which are frequently found to be embedded in otherwise legitimate apps. 

One ad library, called BeiTaPlugin, recently began shipping with 238 Google Play apps and affected 440 million users. And after those apps were pulled by Google, other Chinese Android app developers tried hiding the same library in another 60 apps that were again removed by Google.   

"It can be assumed that the reason why this malware was added was the app developers' partnership with an unscrupulous advertiser," noted Kaspersky researchers Igor Golovin and Anton Kivva. 

Kaspersky notes that the app developers appeared to have removed the malicious code in more recent updates to the CamScanner app. 

READ MOREWhatsApp is among the most blacklisted apps in the enterprise

But the case upends the usual rule that users can judge an app by user reviews. On Google Play it has 1.8 million reviews, weighted heavily towards five out of five stars. Similarly, reviews on Apple's App Store are generally glowing. 

However, Kaspersky started investigating the app after researchers started noticing a batch of recent negative reviews on Google Play. 

"What we can learn from this story is that any app — even one from an official store, even one with a good reputation, and even one with millions of positive reviews and a big, loyal user base —can turn into malware overnight. Every app is just one update away from a major change," Kaspersky researchers said. 

CC Intelligence says it has now removed all the advert SDKs not certified by Google Play from its app and is releasing a new version of CamScanner.

The company is inviting users affected by the issues to get in contact for a direct upgrade and also provides a link in the statement published on its website to download the new version. 

CC Intelligence said the advert SDK provided by a third-party violates its own security policy and it would be taking immediate legal action.

"Fortunately, after rounds of security checks, we have not found any evidence showing the module could cause any leak of document data," CC Intelligence said. 

Editorial standards