The perils of Google Play are once again on display with the discovery of an app with 100 million downloads that contained a malicious component that downloaded secret payloads onto infected Android devices.
Throughout most of its life, CamScanner was a legitimate app that provided useful functions for scanning and managing documents, researchers from antivirus provider Kaspersky Lab said on Tuesday. To make money, the developers displayed ads and offered in-app purchases.
Then, at some point things changed. The app was updated to add an advertising library that contained a malicious module. This component was what’s known as a “Trojan dropper,” meaning it regularly downloaded encrypted code from a developer-designated server at https://abc.abcdserver[.]com and then decrypted and executed it on infected devices. The module, which Kaspersky Lab researchers named Trojan-Dropper.AndroidOS.Necro.n, could download and execute whatever the developers wanted at any time. The researchers said that they have previously found Trojan-Dropper.AndroidOS.Necro.n lurking inside apps that are preinstalled on some phones sold in China.