Researchers at the security firm Kaspersky found malware hiding in advertising within a recent version of the popular CamScanner app for Android smartphones.
CamScanner, which enables mobile devices to be used as document scanner, has been downloaded more than 100 million times by users through the Google Play store, Kaspersky notes.
The Trojan malware, which Kaspersky researchers call AndroidOS.Necro.n, is a dropper – a type of attack code that initially infects a computer or smartphone. In this case, once the dropper is installed, it then attempts to install a second Trojan from the attackers, according to Kaspersky.
It’s not clear what the end goal of this particular attack was, according to Kaspersky. The combination of these two Trojans could be used to spread a malvertising campaign or sign up smartphone users for services or websites they don’t want, the researchers say.
“In this particular case, we’ve seen an advertisement SDK [software development kit] added to the code of application. Based on feedback of users we’ve received and have seen in public, at least in some cases, people were losing money as a result of installation of this application with a malicious module,” Igor Golovin, security researcher at Kaspersky, tells Information Security Media Group.
Tips From Users
Negative reviews for the CamScanner app tipped Kaspersky off that something was wrong, according to the researchers.
“Unfortunately, nothing is 100 percent safe, and from time to time malware distributors manage to sneak their apps into Google Play,” the Kaspersky researchers note. “The problem is that even such a powerful company as Google can’t thoroughly check millions of apps.”
After noticing the malware hiding in the CamScanner app, Kaspesky notified Google, which removed the affected version of the app. CamScanner than issued an updated version.
Malware Hides in Advertising
The Kaspersky researchers found the affected version of the app contained advertising that housed the malicious code. Although the CamScanner app is free, the company sells advertising within the app to generate revenue, Kaspersky says.
In a brief statement on its website, CamScanner notes: “Our CamScanner team has recently detected that the advertisement SDK provided by a third-party named AdHub, integrated in Android Version 5.11.7, has been reported for containing a malicious module that produces unauthorized advertising clicks. Injection of any suspicious codes violates the CamScanner security policy. We will take immediate legal actions against Adhub. Fortunately, after rounds of security checks, we have not found any evidence showing the module could cause any leak of document data.”
Kaspersky’s Golovin notes: “We identified versions of the application with malicious modules only recently, at the end of August. Also recently, we’ve discovered versions of this app with malicious modules that were supposedly created in July.”
Third-Party App Risks
When researchers at the Georgia Institute of Technology and The Ohio State University recently studied the top 5,000 free apps on the Google Play Store, they identified 983 instances of known vulnerabilities and 655 instances of zero-day vulnerabilities. The researcher say third-party software, such as advertising, within these apps could be responsible for some of the vulnerabilities.
“Due to the widespread use of third-party SDKs, app developers are often unaware of the back-ends affecting their apps and where to report vulnerabilities,” the researchers concluded.
Date: September 10, 2019