CamScanner, the most popular document and photo scanning app out there, has been found to conceal some seriously nasty malware, prompting its swift removal from the Play Store. Malware taking hold of an already popular app that was once squeaky-clean is not entirely unheard of, but it is quite uncommon, especially with apps that have incredibly vast audiences.
In this case, CamScanner is a cross-platform app with over 1.8 million reviews and hundreds of millions of installs on the Play Store.
The malware found is of a most foul variety; one that can actually cost hapless users money. Kapersky found the malware after investigating some negative user reviews on the app, and dubbed it Necro.n, presumably because it decrypts and brings to life a dormant zip file contained in the app’s APK.
The contents of “mutter.zip”, when extracted and decrypted, are instructions to decrypt and open up more files. One of them, named “comparison”, phones home to several different servers, which in turn feed the app its attack instructions.
From there, things like ad fraud, showing full-screen ads, using a target device to mine cryptocurrency, and much more all come into the realm of possibility. CamScanner’s gamut of permissions tied to its normal function make it the perfect attack vector, and attackers can, in theory, even go as far as signing users up for paid subscriptions.
In some cases, users won’t know about these subscriptions until they receive their next billing statement from their carrier.
This is all thanks to a third-party advertising company that helped monetize CamScanner, known as AdHub. CamScanner has been one of Android’s most popular apps from the platform’s earliest days, frequently earning top billing in the Android Market before the Play Store came to be. Kapersky and other researchers grabbed and tested a multitude of versions of the app, and found that the affected versions all come from June and July of 2019.
If you’re running a version from May 2019 or earlier, or if you’re running one of the August versions that came out before the malware was reported and the app was pulled, you’re safe.
CamScanner, for its part, put out a seething statement about the matter, assuring legal action against AdHub. The company went on to say that the illicit code, when analyzed, presented no possibility of any privacy concerns, such as leaking scanned documents.
The team has apparently revamped the app’s advertising, partnering only with ad agencies that are approved by Google in preparation for building out a new version and getting back into the Play Store. There is also a download link, accessible via CamScanner’s website, that will allow users to download a safe APK file if they uninstalled the app upon hearing the news, or are running an affected version and can’t update due to the app disappearing from the Play Store.
It is worth mentioning that there are other options out there for users who depended on CamScanner, such as Scan2PDF, if you’re not exactly keen on staying with CamScanner after this ordeal.
To be sure, only June and July versions are on the bad list, as they’ve all been extensively analyzed. CamScanner is still not back in the Play Store as of this writing, but there’s presumably no reason for Google to deny the company’s request once a cleaned-up version with a Google-approved ad vendor is submitted and examined.