Popular CamScanner Android app with over 100 million downloads found loaded with malware

• The malicious Trojan-Dropper can help attackers install other malware to steal banking credentials or generate fake advertisements.
• Security researchers recommend users to uninstall the app from their phones.

The popular “CamScanner” Android App, downloaded by Android users more than 100 million times, was recently discovered to be riddled with offensive malware. Kaspersky researchers discovered the malicious components of the app following a series of negative reviews on the Google Play store.

What does CamScanner do?

CamScanner app scans documents using its Optical Character Recognition (OCR) feature and converts them into PDF files. The app is available for free download from the Google Play store. This popular app was developed and maintained by INTSIG Information Co Ltd and helps users to convert any printed document into a PDF file.

The app and its functionality seem to be legitimate as the app owners generate their revenue from the in-app advertisements. Security researchers also pointed out that one of the advertising libraries that the app owners pushed recently contained the malware component.

Who discovered the malware?

Security researchers Igor Golovin and Anton Kivva at Kaspersky Labs discovered the malware and named it as “Trojan-Dropper.” They also published a detailed technical analysis of the malware component. The researchers also added that the malicious component detected as “Trojan-Dropper.AndroidOS.Necro.n” was found pre-installed in some of the apps on Chinese smartphones.

Necro.n Trojan-Dropper

According to Kaspersky researchers, the Trojan-Dropper is designed as a delivery mechanism for other malware with a specific purpose. The Trojan-Dropper component downloads additional modules from the command and control server and executes the code to download and launch the payload from the malicious server. Hence, the dropper helps attackers to install other malware that steals banking credentials or generates fake advertisements and signup for fake subscriptions.

Mitigation

Kaspersky reported the malicious nature of the CamScanner app to Google and they removed the app from the Google Play store promptly. However, may other Android users who use the app are still unaware of the malicious nature. Researchers suggested users who have the app installed to remove it from their phones.

At the time of writing this article, the malicious CamScanner app was already removed from the Google Play store. Although, the licensed and HD version of the app is still available for download.

The bottom line

Although Google has brought in many security features for users downloading apps from the Google Play store, malicious actors continue to sneak in codes on certain apps from time to time.