An Android app, Barcode Scanner, developed by Lavabird Ltd, is one app that had been available for quite some time on the Google Play Store. It was a popular app by every standard, judging by the more than 10 million downloads it had garnered since becoming available on the platform.
The app was a QR code reader and barcode generator that allowed users to scan and read all QR codes/barcode types, including text, URL, ISBN, product, contact, location, among others. In every respect, it was a great utility app purposed for mobile devices. Until quite recently, the application had optimally served the needs of its users and appeared to be a reliable and credible app.
But according to information from security company Malwarebytes, many users recently began to notice them popping up of ads and other unwanted advertising programs on their phones. Usually, when this happens, it means such users might have installed a malware app on their phones, prompting the barrage of popup ads. Except that this wasn’t the case. Most users reported that they had not installed any new apps on their devices. When the investigation commenced, the source of their problem was quickly called out.
Barcode Scanner was identified as being behind the series of malvertising on users’ devices. The app developer had issued a new update to the app on December 4, 2020, which caused the app to start showing adverts without prior notification.
While it is true that many apps come with advertising, these are usually issued on the free versions of the apps, with warnings and due notifications from the developer. It is one way the app developers can raise revenues while allowing users to use the free versions. The app developers are usually in partnership with ad SDK developers to pursue these advertising efforts. When users purchase the paid versions, such ads are halted and no longer shown, Slashgear reports.
However, when unwanted ads are shown on users’ devices, it can be the fault of the third-party SDK companies. This was not the case with Barcode Scanner, since a malicious code was purposely inserted in its last update and was hidden to users.
When researchers at Malwarebytes reported to Google, the app was pulled down from the Play Store. Users are advised to uninstall the app from their device if they are yet to do so. The transformation of an otherwise clean SDK is one-way hackers use to steal users’ information while avoiding detection from Google.
Lavabird is yet to make a public statement concerning this development.