Proprietor of app that hijacked millions of devices with one update exposes buy-to-infect scam

The homeowners of a favored barcode scanner utility that grew to become a malicious nuisance on millions of devices with one update divulge that a third-celebration buyer used to be in fee. 

Earlier this month, cybersecurity firm Malwarebytes explored how a depended on, precious barcode and QR code scanner app on Google Play that accounted for over 10 million installs grew to become malware overnight. 

Having received a following and performing as innocent instrument for years, in fresh months, users started to whinge that their mobile devices were all as we train plump of undesirable adverts. 

Barcode Scanner used to be fingered because the wrongdoer and the provision of the nuisanceware, tracked as Android/Trojan.HiddenAds.AdQR. The researchers tracked malicious updates because the reason — with aggressive advert pushing applied in the app’s code. 

The app’s analytics code used to be also modified and updates were heavily obfuscated. 

Malwarebytes acknowledged the proprietor, Lavabird Ltd., used to be doubtless in fee, attributable to the possession registration at the time of the update. As soon as reported, the instrument used to be pulled from Google Play.

On the time, Lavabird did no longer reply to requests for commentary. On the change hand, the seller has now reached out to Malwarebytes with an assign of living off of the problem

On February 12, Malwarebytes acknowledged that Lavabird blamed an myth named “the dwelling crew” for the adjustments following a select deal whereby the app’s possession would change fingers. 

Lavabird bought Barcode Scanner on November 23, and the next dwelling crew deal used to be agreed on November 25.

Whereas the research crew has been unable to contact “the dwelling crew,” Lavabird instructed Malwarebytes on February 10 that they were “outraged no less,” and Lavabird ultimate acted as an “middleman” between “the seller and the client on this hassle.” 

In line with Lavabird, the firm develops, sells, and buys mobile capabilities. On this case, the corporate insists that the dwelling crew buyer of Barcode Scanner used to be allowed access to the Google Play console of the app to substantiate the instrument’s key and password sooner than select. 

It used to be the client, Lavabird says, that pushed the malicious update to Barcode Scanner users. 

“Transferring of the app’s signing key when transferring possession of the app is a exact phase of [the] task,” the researchers commented. “Therefore, the assign a matter to by “the dwelling crew” to substantiate that the non-public key works by uploading an update to Google Play seems believable.”

After the update used to be performed, the app used to be transferred to the client’s Google Play myth on December 7. On the change hand, Malwarebytes says that at the time of the malware update, possession calm belonged to Lavabird. 

The first malicious update took region on November 27 and subsequent updates obfuscated the malware’s code, up unless January 5, earlier than the app used to be unpublished. 

Lavabird did no longer confirm the client, who used to be found out thru “word of mouth.” On the change hand, the corporate did relate that “this lesson will remain with us for all times.” 

“From my diagnosis, what appears to bear came about is a artful social engineering feat whereby malware builders bought an already current app and exploited it,” commented Malwarebytes researcher Nathan Collier. “In doing so, they were ready to resolve an app with 10 million installs and switch it into malware. Despite the incontrovertible reality that half of these installs updates the app, that is form of a bit of infections.  And by being ready to change the app’s code earlier than plump select and transfer, they were ready to verify if their malware went undetected by Google Play on one more company’s myth.”

If lawful, and that is a claim current by Collier, the case highlights an titillating design for possibility actors to exploit app builders, traders, and test the exposure of malware on Google Play thru established and depended on user bases. 

“We are very sorry that the utility has become a virulent illness, for us it’s no longer ultimate a blow to our recognition,” Lavabird instructed Malwarebytes. “We hope users will resolve away the app with a virulent illness from their telephones.”

Old and linked protection

Contain a tip? Fetch fervent securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Back to top button