A malicious app has been downloaded more than 100 million times directly from the Google Play app store. The app, called CamScanner, allowed mobile devices to create PDFs.
This is a troubling revelation, given that Google Play stands right alongside the Apple App store as one of the biggest destinations for downloading free and paid apps. Many internet users assume they can trust an app with millions of downloads on Google Play, but that's just not always the case.
Here's how that app slipped through, and what it means for the cyber-safety of app downloaders everywhere.
CamScanner App: What Happened?
So how did CamScanner pull its scam? By starting out its life as a completely safe, legal, and useful app, which monetized through typical practices including ads and in-app purchases. Millions downloaded it.
Then, via an update, malware was slipped into the app:
“Recent versions of the app shipped with an advertising library containing a malicious module,” explains a post from Kaspersky, the cybersecurity company whose researchers uncovered the scam.
“Kaspersky products detect this module as Trojan-Dropper.AndroidOS.Necro.n, which we have observed in some apps preinstalled on Chinese smartphones. As the name suggests, the module is a Trojan Dropper. That means the module extracts and runs another malicious module from an encrypted file included in the app’s resources. This ‘dropped' malware, in turn, is a Trojan Downloader that downloads more malicious modules depending on what its creators are up to at the moment.”
Reviewers had already begun to mention their doubts in reviews for the app, which may have drawn the attention of Kaspersky.
Once reported, the app was immediately removed from Google Play, ensuring no one else will be tricked. At least, not by that particular app. The latest version of CamScanner has had the malicious code removed, according to Kaspersky.
Android's Malware Struggles
Google Play is home to millions of apps, many of which are updated regularly, and there's no way Google can ensure that every single one is legit. Still, it's rare to see malware with a hundred million downloads.
Other Android malware incidents? More common.
Ironically, the biggest scam that Android users fell for in early 2018 were fake virus alerts that were themselves malware. One firm detected over half a million of these scams in the first quarter of last year, along with more than a hundred thousand cases each of scams hidden in adult dating sites or posing as fake sweepstakes winner notifications.
Even worse, there's a chance that an Android device is shipped with malware already installed. A May 2018 report from Avast Threat Labs uncovered a few hundred devices with pre-installed malware sold by vendors including ZTE, Archos and myPhone. The devices were all cheap, not certified by Google, and sold mainly in Russia, Germany, Italy, the UK, and France, according to Engadget.
Best Practices for Staying Safe
You can still download your Android apps from Google Play. Some apps can be malicious, but they are always rapidly removed when noticed. Here's how to limit the threats to your phone while downloading Android apps.
- Get a trusted antivirus program — And yes, you might accidentally download malware while trying to download the right antivirus program.
- Check the recent app reviews — Skimming the reviews is always a good idea. Pay the most attention to the most recent reviews, as they're more likely to be reviewing the most recent version of the app, and that's the version you're actually downloading.
- Don't venture into un-Google-certified territory — The Google Play store might not be totally safe, but it's still the best place to get your Android apps. Google vets the store, and, as we mentioned, it's rare to actually see an app as big as CamScanner turn to the dark side.
Sure, it's impossible to stay 100% safe. But with these tips, you can hover comfortably around the 99% safe mark.
Read more of the latest tech news from Tech.co