This popular Android app may have served up malware to millions

(Image credit: Shutterstock.com)

A Google Play Pass app called Barcode Scanner has been accused of spamming millions of users with unwanted adverts.

The news came from users on the forum of security firm Malwarebytes, who began noticing that ads were randomly opening in their web browsers on their Android devices.

Developer LavaBird LTD's app Barcode Scanner has previously allowed users to scan QR codes and generate barcodes before it received an update in December of last year. After the update though, what was once an innocent scanner turned into full on malware.

We've built a list of the best Android antivirus apps available
Keep your devices virus free with the best malware removal software
Also check out our roundup of the best ransomware protection

The Barcode Scanner app then began opening users' default browsers and showing them ads for other apps as well as recommending that they upgrade apps already installed on their devices in order to boost their performance.

The app in question had over 10m installs on the Google Play Store before it was taken down, though some users may still have it installed on their devices.

Malicious update

In order to provide apps to users for free, many free apps on Google Play include some kind of in-app advertising by including an ad SDK in their code. However, sometimes an ad SDK can change something on their end that makes their ads become more aggressive. Sometimes these changes can even transform an app into adware.

However, with Barcode Scanner, this wasn't the case as the malicious code added in the update was not found in previous versions of the app. Malwarebytes also discovered that the added code used heavy obfuscation to avoid detection. The cybersecurity firm also verified that the update came from LavaBird LTD by confirming that it had been signed by the same digital certificate as previous versions of the app.

Due to Barcode Scanner's obvious malicious intent, Malwarebytes looked even further into the app's code to discover a trojan in the form of Android/Trojan.HiddenAds.ADQR.

Users that still have Barcode Scanner installed on their devices should delete the app immediately to avoid being served unwanted and even malicious ads in their browsers.

We've also highlighted the best antivirus
Stay safer on your phone with the best Android VPN

Via Android Police

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.