Update: CamScanner has recognized that a malicious module was present in the CamScanner Advertising SDK Version 5.11.7. The SDK was apparently provided by a third party called AdHub and was producing clicks from unauthorized ads. The company says it will take immediate legal action against Adhub since the injection of any suspicious code violates the company’s security policy. In addition, no evidence of document leakage has been found after “rounds of security checks”. Apparently, CamScanner has removed all ad SDKs that are not certified by Google Play and is releasing a new version that can be currently downloaded from the company’s website.
“This” discarded “malware, in turn, is a Trojan Downloader that downloads more malicious modules depending on what their creators are doing at the moment. For example, an application with this malicious code can display intrusive ads and register users for paid subscriptions, “says the Kaspersky blog. We verify that the CamScanner application has been removed from the Google Play Store. However, Kaspersky reports that the developers of the application removed the malicious code with the latest update. However, since the version of the applications varies for different devices, it is recommended to uninstall it, since your device could have an earlier version of that application that contains the Trojan Dropper malware module.
There is a good chance that you know the CamScanner application, which is available on both Android and iOS. The “Phone PDF Creator” or “Scanner to Scan PDFs” application had more than 100 million downloads, before being launched from the Google Play Store. Kaspersky Labs researchers found malware in recent versions of the popular OCR application (optical character recognition). Apparently it housed an advertising library that contained a malicious module that Kaspersky researchers identified as ‘Trojan-Dropper.AndroidOS.Necro.n’. According to the report, this particular malware module was previously detected in some applications that were preinstalled on some Chinese smartphones.
— CamScanner (@CamScanner) August 28, 2019
The malware module was detected only in the Android version of the application and it seems that its iOS version is still available in the App Store, probably due to Apple’s strict application research policies. As Kaspersky’s blog points out, CamScanner was a pretty good application that offered remarkable functionality. While it showed ads to generate revenue, there were options for in-app purchases and to purchase a separate License to remove ads. However, the Trojan Dropper module inside the application is said to extract and execute another malicious module from an encrypted file included in the application’s resources.
This is not the first time that Google prohibits the applications of a developer who commits advertising fraud. A few weeks ago, another popular application developer, DU Group, was also accused of committing advertising fraud through its applications. DU Group had some popular applications in the Play Store that were downloaded by many users: Omni Cleaner, RAM Master, Smart Cooler, Total Cleaner and AIO Flashlight, in addition to Selfie Camera.
“We actively investigate malicious behavior, and when we find violations, we take action, including eliminating a developer’s ability to monetize your application with AdMob or publish on Play,” a Google spokesman said in the BuzzFeed News report.
This is not the first time an application has overlooked the application verification process of the Google Play Store. While it can also be difficult to keep up with thousands of applications and their updates that are released on the platform, Google needs to step up its game if it wants to assure users that Play Store is the safest place to download Android applications from.