Google has removed a legitimate-looking PDF creator app with 100 million downloads after security researchers revealed it contained Trojan malware.
Igor Golovin and Anton Kivva at Russian AV vendor Kaspersky decided to take a closer look at the popular CamScanner app after multiple negative reviews over the previous month indicated something had gone wrong.
“After analyzing the app, we saw an advertising library in it that contains a malicious dropper component. Previously, a similar module was often found in preinstalled malware on Chinese-made smartphones. It can be assumed that the reason why this malware was added was the app developers’ partnership with an unscrupulous advertiser,” they explained in a blog post yesterday.
“Kaspersky solutions detect this malicious component as Trojan-Dropper.AndroidOS.Necro.n. We reported to Google company about our findings, and the app was promptly removed from the Google Play.”
The dropper itself is designed to download and launch a payload from malicious servers under the control of the attackers to an already compromised Android device.
“As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions,” explained Golovin and Kivva.
Although Google is certainly getting better at screening apps on its official Play store for malware, this is just the latest case highlighting persistent security concerns for Android users visiting the site.
Earlier this month, security researchers at Dr.Web warned of a new clicker Trojan found in 33 apps on Google Play that had been downloaded over 100 million times.
Last month, Check Point revealed new malware linked to the sophisticated Agent Smith campaign, that had been seeded into 11 apps on the official marketplace, resulting in 11 million downloads.