- CamScanner app had over 100 million downloads on the Play Store
- Some users had already spotted the malicious behaviour in CamScanner
- The Trojan dropper module could be exploited for seeding ads
Google Play Store has actively been weeding out apps for engaging in malicious behaviour ranging from ad fraud to seeding harmful code. But despite the vigilant approach, some malware loaded apps are spotted from time to time and are booted off the app repository after raking in a tonne of downloads. The latest app to get booted from the Play Store is CamScanner, an app that converts photos of documents into PDF format and is fairly popular among users. CamScanner was found to contain malware that could seed ads and prompt users into signing up for paid services.
As per the findings of Kaspersky researchers, CamScanner’s recent versions shipped with an advertising library containing a malicious module. The malicious Trojan Dropper module, which has been identified as “Trojan-Dropper.AndroidOS.Necro.n”, has previously been observed in some Chinese apps as well. What this module did is it extracted and ran another malicious module from an encrypted file that is found in the app’s resources.
The resource-linked module, which is also called a “dropped” module, was found to be a Trojan downloader that downloaded even more harmful modules. After that, it would depend on how a malicious party intends to exploit these modules. One possible use case scenario is that such a malicious module can show intrusive ads and sign up users for paid services. In the case of CamScanner, which has over 100 million downloads, some users came across the app’s sketchy behaviour and posted reviews on the Play Store with the intention of preventing them from downloading CamScanner.