Google’s Play Store has come in for serious criticism in recent weeks, with a procession of disclosures of malware-laced apps being installed by millions of users around the world. In the latest such disclosure, Kaspersky researchers have reported that the CamScanner app, “a phone-based PDF creator that includes OCR (optical character recognition) and has more than 100 million downloads,” has been “shipping with an advertising library containing a malicious module.”
CamScanner was “a legitimate app,” the researchers explained, “with no malicious intensions.” At that time, ads were used openly to generate a normal commercial return for the app’s developers and there were in-app purchases to generate additional revenue. “However, at some point, that changed.”
According to the researchers, the malicious module is a “Trojan Dropper,” this means it’s malware designed as a delivery mechanism for other malware with a specific purpose. So a dropper might be used to install malware that steals banking credentials or generates fake advertising clicks or signs up for fake subscriptions.
This particular malware—Trojan.Dropper.AndroidOS.Necro.n—has been seen before by the Kaspersky team “in some apps preinstalled on Chinese smartphones.” Some users have already reported this behavior to Google, and on finding the malware in a version of the app, the researchers reported it and it was “promptly removed from Google Play.”
The researchers also reported that the latest versions of CamScanner have seemingly removed the malware module, although they warn that “versions of the app vary for different devices, and some of them may still contain malicious code.”
Google is continually improving its defences against the abuse of its platform, but developers of such malware are working just as hard to keep a few steps ahead.
Google Play Protect is designed to guard against app vulnerabilities and, in 2018, Google “detected and removed malicious developers faster, and stopped more malicious apps from entering the Google Play Store than ever before. The number of rejected app submissions increased by more than 55%, and we increased app suspensions by more than 66%.”
In the last month, we’ve seen reports of dozens of apps with hundreds of millions of installs being found to contain dangerous modules. We have seen reports of tens of millions of devices shipping with malware inside the preinstalled apps. And we have seen Google Play extend the review time for new apps as it looks to combat the issue.
But, as I’ve said before, there’s no substitute for common sense and treating apps from unknown sources as potential threats.