How Can One Update Hijack 10 Million Devices?

8543852878?profile=RESIZE_400xWith a single update, a popular barcode scanner app on Google Play transformed into malware and was able to hijack up to 10 million devices.  Until recently, Barcode Scanner was a straightforward application that provided users with a basic QR code reader and barcode generator, useful for things like making purchases and redeeming discounts. The app, which has been around since at least 2017, is owned by developer Lavabird Ldt., and claims to have over 10 million downloads

Lavabird Ltd.'s Barcode Scanner was an Android app that had been available on Google's official app repository for years.  The mobile application appeared to be legitimate, trustworthy software, with many users having installed the app years ago without any problems. Lavabird Ltd., was incorporated in 2020 and is registered at an address in London, according to available online records. The company’s director, Dmytro Kizema, resides in Ukraine.

According to Malwarebytes, users recently started to complain of advertising messages began appearing unexpectedly on their Android devices. It is often the case that unwanted programs, ads, and malvertising are connected with new app installations, but in this example, users reported that they had not installed anything recently.  Upon investigation, the researchers pinpointed Barcode Scanner as the culprit. It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect. It is still unknown that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity?  

A software update issued on 04 December 2020, changed the functions of the app to push advertising without warning. While many developers implement ads in their software in order to be able to offer free versions and paid-for apps simply do not display ads in recent years, the shift of apps from useful resources to adware overnight is becoming more common.  "Ad SDKs can come from various third-party companies and provide a source of revenue for the app developer. It's a win-win situation for everyone," investigators noted. "Users get a free app, while the app developers and the ad SDK developers get paid. But every once in a while, an ad SDK company can change something on their end and ads can start getting a bit aggressive."

Sometimes, 'aggressive' advertising practices can be the fault of SDK third-parties, but this was not the case when it comes to Barcode Scanner. Instead, the researchers say that malicious code was pushed in the December update and was heavily concealed to avoid detection.  The update was also signed with the same security certificate used in past, clean versions of the Android application. 

Malwarebytes reported its findings to Google that has now pulled the app from Google Play. However, this doesn't mean that the app will vanish from impacted devices, and so users need to manually uninstall the now-malicious app. 

Transforming clean SDKs into malicious packages is only one method employed to avoid Google Play protection, with time checks, long display times, the compromise of open source libraries used by an app, and dynamic loading also cited as potential ways for attackers to compromise your mobile device. 

Another interesting method, spotted by Trend Micro, is the implementation of a motion sensor check. In 2019, Android utility apps were found to contain the Anubis banking Trojan which would only deploy once a user moved their handset. 

Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.

Red Sky Alliance is   a   Cyber   Threat   Analysis   and   Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.

 

Reporting:    https://www.redskyalliance.org/

Website:       https://www.wapacklabs.com/

LinkedIn:      https://www.linkedin.com/company/wapacklabs/

Twitter:         https://twitter.com/wapacklabs?lang=en

Weekly Cyber Intelligence Briefings: 

https://attendee.gotowebinar.com/register/8782169210544615949

 

TR-21-042-001_10mDevices.pdf 

 

https://www.zdnet.com/article/with-one-update-this-malicious-android-app-hijacked-10-million-devices/

 

 

 

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!