Kaspersky found malware in popular CamScanner app. Remove it now from your phone!

Security experts from Kaspersky spotted a malware in the free version of the popular PDF creator application CamScanner app.

CamScanner is a very popular Phone PDF creator app with more than 100 million downloads on Google Play Store. Experts from Kaspersky have discovered malware in the free Android version of the CamScanner app that could be used by attackers to remotely hack Android devices and steal targets’ data.

Google has already removed the CamScanner app from the official Play Store and users have to uninstall the app from their Android device immediately,

Malware researchers discovered a Trojan Dropper module in the app that could be exploited by remote attackers to download and install malicious payloads without any user interaction.

The module was hidden in a 3rd-party advertising library that the author of the app recently was introduced.

The issue was discovered after many CamScanner users observed suspicious behavior and posted negative reviews on Google Play Store over the past few months.

“After analyzing the app, we saw an advertising library in it that contains a malicious dropper component. Previously, a similar module was often found in preinstalled malware on Chinese-made smartphones. It can be assumed that the reason why this malware was added was the app developers’ partnership with an unscrupulous advertiser.” reads the analysis published by Kaspersky.

“Kaspersky solutions detect this malicious component as Trojan-Dropper.AndroidOS.Necro.n. We reported to Google company about our findings, and the app was promptly removed from the Google Play.“

Experts pointed out that the same module was also found in some apps pre-installed on Chinese smartphones.

When the CamScanner app is launched, dropper decrypts and executes the malicious code contained in the mutter.zip file stored in the app resources.

The module can be used to execute malicious code for different purposes, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.

“Kaspersky products detect this module as Trojan-Dropper.AndroidOS.Necro.n, which we have observed in some apps preinstalled on Chinese smartphones. As the name suggests, the module is a Trojan Dropper. That means the module extracts and runs another malicious module from an encrypted file included in the app’s resources.” reads the analysis published by Kaspersky. “This “dropped” malware, in turn, is a Trojan Downloader that downloads more malicious modules depending on what its creators are up to at the moment.”

After Google removed the CamScanner app from the Play Store, the developers of the app eliminated the malicious code from the application with the latest update. Researchers warn that versions of the app vary for different devices, and some of them may still contain the malware.

The paid version if the app doesn’t include the 3rd-party advertising library, this means that it doesn’t contain the malware and for this reason, Google hasn’t removed it from the Play Store.

Recently other cases of infected apps distributed via Google Play Store made the headlines. Last week, ESET experts discovered that an Android app infected with AhMyth open-source RAT has bypassed the security of Google Play twice over two weeks.

In March, researchers at Check Point have uncovered a sophisticated malware campaign spreading the SimBad agent through the official Google Play Store. According to experts, more than 150 million users were already impacted at the time of the discovery.

In February, security researcher Lukas Stefanko from ESET discovered the first Android cryptocurrency clipboard hijacker impersonating MetaMask on the official Google Play store.

“What we can learn from this story is that any app — even one from an official store, even one with a good reputation, and even one with millions of positive reviews and a big, loyal user base —can turn into malware overnight,” the Kaspersky researchers concluded.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CamScanner, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]