Camscanner App which is used my millions of users to scan documents on mobile is the latest to come under Malware alert which was found by Kaspersky Lab. As of now CamScanner has more than 100 million downloads from Google PlayStore, Kaspersky found that their latest update has a malicious module that pushes ads or downloaded apps instantaneously onto compromised Android devices.
Kaspersky researches found the suspicious malware after they were alerted by one of their scanners in the free version of the popular scanning app following which people have started leaving negative reviews on playStore page. “CamScanner was actually a legitimate app, with no malicious intensions whatsoever, for quite some time,” Kaspersky noted. “It used ads for monetization and even allowed in-app purchases. However, at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module.”
This module — identified as Trojan-Dropper.AndroidOS.Necro.n — is a trojan dropper, meaning it can extract and run a second malicious component encrypted within the app. This trojan downloader can be leveraged to infect the devices with other kinds of malware.
Kaspersky researchers found that when CamScanner is run, the dropper decrypted and executed malicious code contained in a “mutter.zip” file within the app, before downloading encrypted code from a command-and-control server “https://abc.abcdserver[.]com.”
“The above-described Trojan-Dropper.AndroidOS.Necro.n functions carry out the main task of the malware: to download and launch a payload from malicious servers,” the researchers said. “As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.”
Google removed the app listing (CamScanner – Phone PDF Creator) from the Play Store after Kaspersky reporting their findings, but Kaspersky notes the app developers removed the malicious code in their latest update.