With a single update, a popular barcode scanner app on Google Play transformed into malware and was able to hijack up to 10 million devices.
Lavabird Ltd.’s Barcode Scanner was an Android app that had been available on Google’s official app repository for years. The app, accounting for over 10 million installs, offered a QR code reader and a barcode generator — a useful utility for mobile devices.
The mobile application appeared to be legitimate, trustworthy software, with many users having installed the app years ago without any problems — until recently.
According to Malwarebytes, users recently started to complain of adverts appearing unexpectedly on their Android devices. It is often the case that unwanted programs, ads, and malvertising are connected with new app installations, but in this example, users reported that they had not installed anything recently.
Upon investigation, the researchers pinpointed Barcode Scanner as the culprit.