At the end of last year, Malwarebytes forum users began noticing that ads were randomly opening in their web browsers on their Android devices and it turns out that a Google Play Pass app called Barcode Scanner was responsible.

The app in question had over 10m installs on the Google Play Store before it was taken down, though some users may still have it installed on their devices.

Developer LavaBird LTD’s app Barcode Scanner has previously allowed users to scan QR codes and generate barcodes before it received an update in December of last year. After the update though, what was once an innocent scanner turned into full on malware.

The Barcode Scanner app then began opening users’ default browsers and showing them ads for other apps as well as recommending that they upgrade apps already installed on their devices in order to boost their performance.

Malicious update

In order to provide apps to users for free, many free apps on Google Play include some kind of in-app advertising by including an ad SDK in their code. However, sometimes an ad SDK can change something on their end that makes their ads become more aggressive. Sometimes these changes can even transform an app into adware.

However, with Barcode Scanner, this wasn’t the case as the malicious code added in the update was not found in previous versions of the app. Malwarebytes also discovered that the added code used heavy obfuscation to avoid detection. The cybersecurity firm also verified that the update came from LavaBird LTD by confirming that it had been signed by the same digital certificate as previous versions of the app.

Due to Barcode Scanner’s obvious malicious intent, Malwarebytes looked even further into the app’s code to discover a trojan in the form of Android/Trojan.HiddenAds.ADQR.

Users that still have Barcode Scanner installed on their devices should delete the app immediately to avoid being served unwanted and even malicious ads in their browsers.

Via Android Police