The popular PlayStore Barcode Scanner application infected 10 million users

Nearly ten million Android users have been infected with the popular barcode reading app "Barcode Scanner", after the legitimate application turned into malware. The malicious behavior of the software was exposed by researchers from the security firm Malwarebytes, who reported it to Google and as a result the application was removed from the online store.

It was at the end of last December when investigators began receiving calls for help. Android device users. The company claims those users were seeing ads popping up out of nowhere through your default browsers. The strangest thing about the ad serving epidemic is that none of them had installed apps recently. However, all the apps they had installed since then came directly from Google Play.

The pop-up ads continued until one of the malware victims discovered that the ads were coming from a long-installed application called Barcode Scanner.

The researchers quickly added detection, after the user alerted and Google removed the app from the store. Many users have used the app on their mobile devices for a long time, including one user who had it installed for years.

After an update released in December, the application Barcode Scanner went from what it should be- offered a QR code reader and barcode generator, a useful utility for mobile devices, to complete malware. Although Google has already removed this application, the security company believes that the update took place on December 4, 2020, which changed the functions of the application to send announcements without prior notice.

While many developers incorporate advertisements into their software to be able to offer free versions, and paid applications simply don't display advertisements, in recent years the change has happened overnight. Useful resource applications for adware are becoming more and more common.

“Advertising SDKs can come from various third-party companies and be a source of income for the application developer. It's a win-win situation, ”Malwarebytes noted. “Users get a free app, while app developers and ad SDK developers get paid. But every now and then, an Ads SDK company might change something and the ads can start to get a bit aggressive.

Sometimes third parties may engage in "aggressive" advertising practices, but this is not the case with this barcode reader. Instead, the researchers say the malicious code was included in the December update and largely concealed to avoid detection. The update was also signed with the same security certificate that was used in previous versions of the Android application.

“No, in the case of Barcode Scanner, malicious code was added that was not present in previous versions of the application. Also, the added code used strong obfuscation to avoid detection. To verify that it comes from the same application developer, we confirmed that it had been signed by the same digital certificate as the previous clean versions ”.

The fact that Google has removed the application from Google Play does not mean that the application will disappear from the affected devices. This is exactly the problem experienced by users who installed Barcode Scanner. To put an end to it, users must manually uninstall the now malicious app.

Researchers were unable to determine exactly how long the barcode reader app had been a legitimate app on the Google Play store before it became malicious.

“Based on the large number of installs and user feedback, we believe it has been around for years. It's terrifying that with just one update, an app can turn malicious while still being under the Google Play Protect radar. It puzzles me that an app developer with a popular app can turn it into malware. Was it the plan from the beginning, to have an application idle, waiting to arrive after reaching popularity? I guess we'll never know, ”the investigators' report said.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

3 comments, leave yours

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   DaniFAQ said

    Right now, if I search for Barcode Play Store, it shows me two “Barcode Scanner” apps from different developers. You must indicate the author because it is impossible to identify an app by name.
    Well, okay, it sent advertising, according to the text: not aggressive. What app doesn't?

    When I install an app I always check if it brings ads and the permissions in «Info. of the app ».

    1.    It was absurd said

      It seems that you cannot read because the article makes it very clear. One thing is advertising, as in most apps, which is not usually intrusive and comes out from time to time and another very different thing is what they say in the article, which became quite intrusive advertising, to the point that described precisely because of that excess of publicity.

      1.    DaniFAQ said

        "Sometimes third parties can carry out 'aggressive' advertising practices, but this is not the case with this barcode reader."
        And it continues:
        "Instead, the researchers say that the malicious code was included in the December update and largely concealed to avoid detection."
        What is the problem.

        Thanks for your time ... even if it's useless.