On September of 5th, 2019 a new update to the famous document scanner application CamScanner was confirmed. With over a 100 million downloads the CamScanner app is used to convert pictures in .jpg to a .pdf or .ppt format. The app was back on the Play Store with version 5.12.5. Although iOS users were not affected, the update also urged users to download or update the new version.
Also popularly known to convert photos of your physical documents into PDF files, CamScanner was recently found to have an advertising library containing a malicious module. Kaspersky researchers recently found the malware in the app CamScanner. The phone-based PDF creator includes OCR (optical character recognition) and has more than 100 million downloads in Google Play. The app is also called by many different names such as: CamScanner – Phone PDF Creator and CamScanner – Scanner to scan PDFs.
Initially official app stores such as Google Play are usually considered a safe haven for downloading software. Unfortunately, this is not turn out to be 100% safe. Also due to which from time to time malware distributors manage to sneak their apps into Google Play. The problem which arises here is that even a powerful company as Google can’t thoroughly check millions of apps from the Google Playstore. Also, we need to keep in mind that most of the apps are updated regularly, due to which many of the Google Play moderators’ jobs are never done.
Being one of the most downloaded scanning apps on the Play Store, CamScanner is popularly used in that category. Such facts didn’t matter much to Google. Although most the reviews of CamScanner on Google Play page were positive, some of the users had reported suspicious behavior of the app while using the infected version. It happened such that as soon as the researchers at Kaspersky examined one of the versions of the app at that time and found the malicious module there. These findings were further reported to Google, and the app was promptly removed from Google Play. It looks like app developers got rid of the malicious code with the latest update of CamScanner. But still we need to keep in mind, that versions of the app vary for different devices, and chances are that some of them may still contain malicious code.
So far, according to CamScanner there’s no evidence of leaked document data due to the malicious code. With realization of the malicious code, CamScanner temporarily removed all advertising SDKs for security purposes. Despite of all the actions taken, CamScanner had not provided an update on its “legal actions” against AdHub’s advertising SDK, which was the cause of malicious codes.
The malware was initially found by Kaspersky researchers. On further analysis by the researches the following is what they discovered:
After the researchers at Kaspersky got to know about the malicious code in the famous scanner app they came to a conclusion after analyzing the results. According to Kaspersky, the malicious code was spotted in several CamScanner updates that were published between June and July. Some of the Researchers at Kaspersky also identified the code as Trojan Dropper, a software which was discovered in some pre-installed apps on Chinese smartphones. `As the name suggests, the module is a Trojan Dropper, which means that it extracts and runs another malicious module from an encrypted file included in the app’s resources in APK. The “dropped” malware is a Trojan downloader, that downloads more malicious modules depending on what its creators are up to at the moment. These malicious modules show intrusive ads and sign users up for paid subscriptions to fake external services.
In one of the statements released on Twitter, CamScanner placed the blame for the malware on a third-party advertising SDK provided by AdHub. According to reports obtained by CamScanner, the SDK contained the Trojan Dropper module with the help of which it produced ‘unauthorized advertising clicks.’ Team from CamScanner also said that they would take immediate legal actions against AdHub.
Near the end of July CamScanner also released a statement, to spread awareness and urge people to update their antivirus apps and download antivirus apps directly from the Play Store. CamScanner was actually a legitimate app, with no malicious intensions whatsoever, for quite some time. It used ads for monetization and also allowed in-app purchases. But, at some point that changed, and some of the versions of the app shipped with an advertising library containing a malicious module.
What users can learn from this incident is that any app – even one with a good reputation, even one from an official store, and even one with millions of good reviews and a big, loyal user base – can turn into malware overnight. There is no certainty on when anyone can get attacked, every app is just one update away from a major change. To make sure you never find yourself in such trouble, use a reliable antivirus for Android app and scan your smartphone from time to time.
Also, to avoid unnecessary problems, if you have a version that is not updated to its latest version try to uninstall the app. Following this move would prevent and keep your data from getting compromised or misused. If you don’t want to use CamScanner at all then you can also choose from another alternative like an app named ‘CamScanner HD’ from the Play Store, but it is not trust-worthy as the authenticity of the app is doubtfull. For now, some of the best options to scan and convert PDF documents are: Adobe Scan, Microsoft Office Lens or even the in-built scanning functionality of the Google Drive app.
We appreciate the willingness to cooperate that we’ve seen from CamScanner representatives, as well as the responsible attitude to user safety they demonstrated while eliminating the threat. We’ve rephrased the line above about paid subscription services to make it clear that the paid subscriptions initiated by malicious modules are not to be mistaken with a legitimate subscription model that many users adopted by choice. The malicious modules containing the code were removed from the app immediately upon Kaspersky’s warning, and Google Play has restored the app.
Here are some of our other articles to take a look at:
FIN-7: The Cyber Terror Group!
Raccoon Stealer – A High-risk Trojan Malware
Stalkerware: A Malware To Stalk ?