Owner of app that hijacked millions of devices with one update exposes buy-to-infect scam

The owners of a popular barcode scanner application that became a malicious nuisance on millions of devices with one update insist that a third-party buyer was to blame. 

Earlier this month, cybersecurity firm Malwarebytes explored how a trusted, useful barcode and QR code scanner app on Google Play that accounted for over 10 million installs became malware overnight. 

Having gained a following and acting as innocent software for years, in recent months, users began to complain that their mobile devices were suddenly full of unwanted adverts. 

Barcode Scanner was fingered as the culprit and the source of the nuisanceware, tracked as Android/Trojan.HiddenAds.AdQR. The researchers tracked malicious updates as the reason -- with aggressive advert pushing implemented in the app's code. 

The app's analytics code was also modified and updates were heavily obfuscated. 

Malwarebytes said the owner, Lavabird Ltd., was likely to blame, due to the ownership registration at the time of the update. Once reported, the software was pulled from Google Play.

At the time, Lavabird did not respond to requests for comment. However, the vendor has now reached out to Malwarebytes with an explanation for the situation. 

On February 12, Malwarebytes said that Lavabird blamed an account named "the space team" for the changes following a purchase deal in which the app's ownership would change hands. 

Lavabird purchased Barcode Scanner on November 23, and the subsequent space team deal was agreed on November 25.

While the research team has been unable to contact "the space team," Lavabird told Malwarebytes on February 10 that they were "outraged no less," and Lavabird only acted as an "intermediary" between "the seller and the buyer in this situation." 

According to Lavabird, the firm develops, sells, and buys mobile applications. In this case, the company insists that the space team buyer of Barcode Scanner was allowed access to the Google Play console of the app to verify the software's key and password prior to purchase. 

It was the buyer, Lavabird says, that pushed the malicious update to Barcode Scanner users. 

"Transferring of the app's signing key when transferring ownership of the app is a legitimate part of [the] process," the researchers commented. "Therefore, the request by "the space team" to verify that the private key works by uploading an update to Google Play seems plausible."

After the update was performed, the app was transferred to the buyer's Google Play account on December 7. However, Malwarebytes says that at the time of the malware update, ownership still belonged to Lavabird. 

The first malicious update took place on November 27 and subsequent updates obfuscated the malware's code, up until January 5, before the app was unpublished. 

Lavabird did not verify the buyer, who was found through "word of mouth." However, the company did say that "this lesson will remain with us for life." 

"From my analysis, what appears to have happened is a clever social engineering feat in which malware developers purchased an already popular app and exploited it," commented Malwarebytes researcher Nathan Collier. "In doing so, they were able to take an app with 10 million installs and turn it into malware. Even if a fraction of those installs updates the app, that is a lot of infections.  And by being able to modify the app's code before full purchase and transfer, they were able to test if their malware went undetected by Google Play on another company's account."

If true, and this is a claim accepted by Collier, the case highlights an interesting way for threat actors to exploit app developers, traders, and test the exposure of malware on Google Play through established and trusted user bases. 

"We are very sorry that the application has become a virus, for us it is not only a blow to our reputation," Lavabird told Malwarebytes. "We hope users will remove the app with a virus from their phones."

Previous and related coverage

• With one update, this malicious Android app hijacked millions of devices
  
• Cerberus banking Trojan source code released for free to cyberattackers
  
• Colombian energy, metal firms under fire in new Trojan attack wave
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0