Researchers found on Google Play ad dropper that was downloaded more than 100 million times

Kaspersky Lab experts found an ad dropper in the CamScanner application on Google Play, which was downloaded more than 100 million times.

Experts decided to check the application because recently, users began massively complain about the suspicious behavior of CamScanner.

As it turned out, CamScanner had no malicious intent before. However, its developers decided to use advertising or selling premium accounts for monetization, and at this point, something went wrong. Researchers write that the dropper was discovered not in the code of the application itself, but in the advertising library, added to CamScanner relatively recently.

“Previously, a similar module was often found in preinstalled malware in Chinese-made smartphones. We can assume that the reason for its appearance was the partnership of application developers with an unscrupulous advertiser”, – Kaspersky Lab experts report.

Malware was classified as Trojan-Dropper.AndroidOS.Necro.n, and experts have already encountered such malware earlier: it was preinstalled on Chinese-made smartphones.

The dropper was used to extract another malicious module from an encrypted file that was stored in the application’s resources and ran it.

Read also: Data leak affected 14 million customers of Hostinger service

The second module was a bootloader Trojan: it contacted the management server, downloaded and installed other malicious components on the device. It is noted that the payload can be almost anything – it all depends on the plans of the malware developers. So, they can force the application to show users intrusive ads or issue paid subscriptions.

“Some functions of Trojan-Dropper.AndroidOS.Necro.n perform the main task of the malware: download and launch the payload from the attackers’ servers. As a result, the infected device gets the opportunity to benefit the owners of the module in any way that is appropriate for them, from showing the victim intrusive advertising to stealing money from her mobile account by issuing paid subscriptions”, – say the researchers.

Kaspersky Lab experts have already reported this finding to Google engineers, the company responded and emergently removed the malicious application from Google Play.