Researchers found on Google Play ad dropper that was downloaded more than 100 million times
Kaspersky Lab experts found an ad dropper in the CamScanner application on Google Play, which was downloaded more than 100 million times.
The application is designed to recognize text on photographed documents and create PDF files. It can also be found under a slightly different name, for example CamScanner – Phone PDF Creator or CamScanner – Scanner to scan PDFs.Experts decided to check the application because recently, users began massively complain about the suspicious behavior of CamScanner.
As it turned out, CamScanner had no malicious intent before. However, its developers decided to use advertising or selling premium accounts for monetization, and at this point, something went wrong. Researchers write that the dropper was discovered not in the code of the application itself, but in the advertising library, added to CamScanner relatively recently.
“Previously, a similar module was often found in preinstalled malware in Chinese-made smartphones. We can assume that the reason for its appearance was the partnership of application developers with an unscrupulous advertiser”, – Kaspersky Lab experts report.
Malware was classified as Trojan-Dropper.AndroidOS.Necro.n, and experts have already encountered such malware earlier: it was preinstalled on Chinese-made smartphones.
The dropper was used to extract another malicious module from an encrypted file that was stored in the application’s resources and ran it.
Read also: Data leak affected 14 million customers of Hostinger service
The second module was a bootloader Trojan: it contacted the management server, downloaded and installed other malicious components on the device. It is noted that the payload can be almost anything – it all depends on the plans of the malware developers. So, they can force the application to show users intrusive ads or issue paid subscriptions.
“Some functions of Trojan-Dropper.AndroidOS.Necro.n perform the main task of the malware: download and launch the payload from the attackers’ servers. As a result, the infected device gets the opportunity to benefit the owners of the module in any way that is appropriate for them, from showing the victim intrusive advertising to stealing money from her mobile account by issuing paid subscriptions”, – say the researchers.
Kaspersky Lab experts have already reported this finding to Google engineers, the company responded and emergently removed the malicious application from Google Play.