Users of the free version of the CamScanner app have been advised to uninstall the app immediately, following the discovery of a hidden Trojan Dropper module. The app has already been downloaded by more than 100 million users worldwide, all of whom may be at risk.
CamScanner is an optical character recognition (OCR) app that allows users to create editable PDF files from photos of text. The free version of the app was available to download from the Google Play Store and initially attracted many positive reviews. When the app was first uploaded to the Google Play Store it contained no malware and performed no malicious actions. However, at some point, the app was updated to include the malware dropper.
The malicious app was detected by Kaspersky Lab, which identified a malicious module in the advertising library that downloaded a malware dropper called Trojan-Dropper.AndroidOS.Necro.n. When run, the Trojan extracts and runs a second malicious module in the app’s resources, which in turn downloads and executes another malicious module.
Kaspersky Lab found the app was signing users up to subscription services without their knowledge and users of the app were bombarded with invasive adverts. Any number of other malicious actions could potentially be performed by the app.
Kaspersky lab researchers believe the location of the malicious module makes it probable that it was added by a third-party advertising partner of CamScanner. The malicious module was found in an earlier version of the app, but the latest version has had the module removed. Upon discovery of the malware, Google was notified, and the app was removed from the Google Play Store.
Since the malicious code is in the third-party advertising library, which is only present in the free version of the app, the paid-for version is unaffected and contains no malicious code.
Kaspersky Lab researchers said the malicious module had also previously been added to apps that were pre-loaded on certain Chinese smartphones.
The app initially received positive reviews from users, but the past few months have seen a flood of negative reviews, which prompted Kaspersky Lab to investigate. The researchers say their discovery shows that even legitimate apps with great online reviews and millions of users can go rogue overnight.