Barcode-Scanning App for Android Pushed Malware Onto Millions of Phones
A popular app has been removed from Google Play after it was discovered to have delivered trojanized malware onto millions of users’ phones via an update. Until recently, Barcode Scanner was a straightforward application that provided users with a basic QR code reader and barcode generator, useful for things like making purchases and redeeming discounts. The app, which has been around since at least 2017, is owned by developer Lavabird Ldt., and claims to have over 10 million downloads, the Wayback Machine shows.
However, a rash of malicious activity was recently traced back to the app. Users began noticing something weird going on with their phones: their default browsers kept getting hijacked and redirected to random advertisements, seemingly out of nowhere. For a number of people, it wasn’t clear what was causing the disruptions—as many hadn’t recently downloaded any apps. After enough peeved victims wrote about their experiences on a web forum, one user ultimately pointed the finger at Barcode. Researchers with Malwarebytes have verified the scanner is the culprit, releasing a new report that shows it delivered the ad-producing malware onto users’ phones, probably via a December update. The update spoiled the previously benign app—taking it from “an innocent scanner to full on malware,” researchers write.
Please note that the latest smartphones with iOS 13 and Android 9 and above are equipped with an advanced QR Code readers in the built-in camera app, downloading a third-party app is no longer required.