Barcode-Scanning App for Android Pushed Malware Onto Millions of Phones

Barcode-Scanning App for Android Pushed Malware Onto Millions of Phones
Photo: Tomohiro Ohsumi, Getty Images

A popular app has been removed from Google Play after it was discovered to have delivered trojanised malware onto millions of users’ phones via an update.

Until recently, Barcode Scanner was a straightforward application that provided users with a basic QR code reader and barcode generator, useful for things like making purchases and redeeming discounts. The app, which has been around since at least 2017, is owned by developer Lavabird Ldt., and claims to have over 10 million downloads, the Wayback Machine shows.

However, a rash of malicious activity was recently traced back to the app. Users began noticing something weird going on with their phones: their default browsers kept getting hijacked and redirected to random advertisements, seemingly out of nowhere. For a number of people, it wasn’t clear what was causing the disruptions — as many hadn’t recently downloaded any apps. After enough peeved victims wrote about their experiences on a web forum, one user ultimately pointed the finger at Barcode.

Researchers with Malwarebytes have verified the scanner is the culprit, releasing a new report that shows it delivered the ad-producing malware onto users’ phones, probably via a December update. The update spoiled the previously benign app — taking it from “an innocent scanner to full on malware,” researchers write.

Screenshot: Lucas Ropek: Wayback Machine/Google PlayScreenshot: Lucas Ropek: Wayback Machine/Google Play

Researchers distinguish Barcode’s ad-pushing malware from basic ad SDKs — programs used by publishers to launch in-app advertising for monetisation purposes — claiming that “this was not the case” with Barcode Scanner. Whoever injected the malicious code used heavy obfuscation to hide the fact that it was there, researchers say, adding that the app appears to have been intentionally transformed from a normal app into a malicious one via the update. They write:

It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect. It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity? I guess we will never know.

While Google has yanked Barcode Scanner from its app store, it is not gone from affected devices. Users of the app will still have to manually uninstall it from their phones.

Barcode Scanner’s owner, Lavabird Ltd., was incorporated in 2020 and is registered at an address in London, according to available online records. The company’s director, Dmytro Kizema, resides in Ukraine.

Gizmodo has reached out to Lavabird and will update if we hear back.