Google has already removed the CamScanner app from the official Play Store and users have to uninstall the app from their Android device immediately,
Malware researchers discovered a Trojan Dropper module in the app that could be exploited by remote attackers to download and install malicious payloads without any user interaction.
The module was hidden in a 3rd-party advertising library that the author of the app recently was introduced.
The issue was discovered after many CamScanner users observed suspicious behavior and posted negative reviews on Google Play Store over the past few months.
“After analyzing the app, we saw an advertising library in it that contains a malicious dropper component. Previously, a similar module was often found in
“Kaspersky solutions detect this malicious component as Trojan-Dropper.AndroidOS.Necro.n. We reported to Google company about our findings, and the app was promptly removed from the Google Play.
Experts pointed out that the same module was also found in some apps pre-installed on Chinese smartphones.
When the CamScanner app is launched, dropper decrypts and executes the malicious code contained in the mutter.zip file stored in the app resources.
The module can be used to execute malicious code for different purposes, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.
“Kaspersky products detect this module as Trojan-Dropper.AndroidOS.Necro
After Google removed the CamScanner app from the Play Store, the developers of the app eliminated the malicious code from the application with the latest update. Researchers warn that versions of the app vary for different devices, and some of them may still contain the malware.
The paid version if the app doesn’t include the 3rd-party advertising library, this means that it doesn’t contain the malware and for this reason, Google hasn’t removed it from the Play Store.
Recently other cases of infected apps distributed via Google Play Store made the headlines. Last week, ESET experts discovered that an Android app infected with AhMyth open-source RAT has bypassed the security of Google Play twice over two weeks.
In March, researchers at Check Point have uncovered a sophisticated malware campaign spreading the SimBad agent through the official Google Play Store. According to experts, more than 150 million users were already impacted at the time of the discovery.
In February, security researcher Lukas Stefanko from ESET discovered the first Android cryptocurrency clipboard hijacker impersonating MetaMask on the official Google Play store.
“What we can learn from this story is that any app — even one from an official store, even one with a good reputation, and even one with millions of positive reviews and a big, loyal user base —can turn into malware overnight,” the Kaspersky researchers concluded.