Google Play Store has actively been weeding out apps for engaging in malicious behaviour ranging from ad fraud to seeding harmful code. But despite the vigilant approach, some malware loaded apps are spotted from time to time and are booted off the app repository after raking in a tonne of downloads. The latest app to get booted from the Play Store is CamScanner, an app that converts photos of documents into PDF format and is fairly popular among users. CamScanner was found to contain malware that could seed ads and prompt users into signing up for paid services.
As per the findings of Kaspersky researchers, CamScanner's recent versions shipped with an advertising library containing a malicious module. The malicious Trojan Dropper module, which has been identified as "Trojan-Dropper.AndroidOS.Necro.n”, has previously been observed in some Chinese apps as well. What this module did is it extracted and ran another malicious module from an encrypted file that is found in the app's resources.
The resource-linked module, which is also called a “dropped” module, was found to be a Trojan downloader that downloaded even more harmful modules. After that, it would depend on how a malicious party intends to exploit these modules. One possible use case scenario is that such a malicious module can show intrusive ads and sign up users for paid services. In the case of CamScanner, which has over 100 million downloads, some users came across the app's sketchy behaviour and posted reviews on the Play Store with the intention of preventing them from downloading CamScanner.
Once the Kaspersky researchers came across the advertising dropper in a recent version of the CamScanner app, they reported it and the app was promptly removed from the Play Store. It was also observed that the developers behind CamScanner got rid of the module in the latest version of the app. But since different phones might be running different versions of the app, some of which might contain the malicious code in its resource files, it is better to uninstall the app and download it again only when it is back on the Play Store after due verification.