This is possibly tied to the recent assault on the ZXing Barcode scanner app[1].<p>This is a legit open source app that's been recently flooded by 1-star reviews claiming that the app contains malware, probably in order to get users to switch to the other apps.
The funny thing is this app has not been updated since 2019 on the Play Store, so those reviews are clearly bogus.<p>It takes a special kind of scum to slander an open source project in order to push malware.<p>[1]: <a href="https://play.google.com/store/apps/details?id=com.google.zxing.client.android" rel="nofollow">https://play.google.com/store/apps/details?id=com.google.zxi...</a>
Even legitimate app developers have no incentive to keep their apps sterile. Someone just has to approach you with your 10+ million users barcode scanner app and offer you +50,000$ in order to install some automated ad clicker for them.<p>Don’t be naive, the majority will accept the money and gladly.<p>I believe that particularly makeshift applications such as e.g. barcode scanners are susceptible to this kind of overtake. Apps that offer what should have been offered by the OS vendor in the first place. Why should the app developer refuse the money if what their app offers will be incorporated in a next OS update by anyways? Why defend your mini-adapter-app in an ocean of mini-adapter-apps, with yours becoming so large just because of a random seed and path dependency?<p>This can have a big impact for end users. Imagine an authenticator app ending service to all their users in such a scheme and how you will be cut out from all your accounts by this. How many authenticator apps do you have to use in parallel to mitigate this risk of a single point of failure?
The only reason this was detected was very overt behavior - opening AD popups. So I guesstimate for each one of these we have 10 that go undetected.
This means the whole ecosystem is broken, as there is no reason this will happen only for updates and not for new apps as well. Apple's ecosystem is somewhat better, but I can't imagine they go through every line of code in each package, so most of their review is probably done with some combination of automatic static and dynamic analysis, and these can be fooled. The problem with both platforms is that they don't provide run of the mill users the option of installing an effective firewall and security solutions.
I stick to F-droid android app store. it asks developer to submit their code which gets compiled by the F-Droid team. apps with proprietary codes are flagged.<p>few QR code apps from F-Droid.<p><a href="https://f-droid.org/en/packages/com.example.barcodescanner/" rel="nofollow">https://f-droid.org/en/packages/com.example.barcodescanner/</a><p><a href="https://f-droid.org/en/packages/com.secuso.privacyFriendlyCodeScanner/" rel="nofollow">https://f-droid.org/en/packages/com.secuso.privacyFriendlyCo...</a>
I recently noticed that the "Barcode Scanner" app by ZXing (<a href="https://play.google.com/store/apps/details?id=com.google.zxing.client.android" rel="nofollow">https://play.google.com/store/apps/details?id=com.google.zxi...</a>) was being review-bombed with 1* reviews. People were talking about the "recent update", even though the last update is from February 2019. As far as I know, that app is open source and never contained ads. (Of course, without reproducible builds, we'll never know for sure.)<p>Was ZXing also hit by some issue, or is that just confused people that mistook the ZXing barcode scanner for the Lavabird barcode scanner?<p>In the comments of the article, someone wrote:<p>> The Zxing project is the flagship open source barcode scanner project for many years, and the December 2020 build was infected with malware. That bad build has been removed, of course, but the damage to the project continues.<p>Is there any further information on this?
I was 100% impacted by this. I've used that barcode scanner app for pretty much forever. I can't be 100% certain, but it's one of the first apps I ever installed on my first android phone (around '08/'09). It was what I directed other people to since all the other barcode scanners had ads.<p>Around the end of December started seeing web page notifications after my phone had been locked for a while. I clear those and it goes away for a day or so. I originally attributed it to an open tab, or some site that I had inadvertently enabled notifications for. It took me a few days of seeing these and checking browsers to realize it was more, so I started checking apps recently installed. I even installed malwarebytes to do a scan, found nothing. There were three recently updated, including barcode scanner. I opened that and malwarebytes immediately flagged it. So the scanner seemed to know about it at that time, but couldn't detect it until you actually opened the application.<p>I used to have Theft Aware before it got bought by Avast, and I tried Lookout some years ago. But it was this incident that finally convinced me to install and keep anti-malware app on my phone. I've also disabled app updates from the play store.<p>EDIT: Mine was by "The Space Team", not the one listed in the article. Seems like a number of barcode scanner apps were targeted recently.
One can say that the solution to this is more control/power for the app store, but te opposite, the solution for this problem on computer was solved decades ago:<p>Open source software and more open and transparent platforms!<p>Today users of common brands of Android and Apple devices are really restricted in control of their devices, so there is very few ways to check what the system or apps are doing, inspect, firewall/limit things, go tinker inside the apps.<p>And as said by other people, most of the time you have auto updates forced on users and so app developer does not even have to really justify what changed and why.
When the Apple App Store contained malware compiled by unsuspected Chinese developers using a local cache of Xcode [1], Apple emailed the developers to prompt them to update their application immediately and removed them from sale.<p>Apple also contacted users directly to alert them of whatever apps they had purchased on the App Store were compromised so they could monitor for updates, or remove the app entirely.<p>Has Google done the same? Neither Apple or Google have the ability to directly remove apps on a users device, but simply removing it from the store and then having users rely on a solution like MalwareBytes seems like Google is abnegating their responsibility of a safe marketplace.<p>[1] <a href="https://en.wikipedia.org/wiki/XcodeGhost" rel="nofollow">https://en.wikipedia.org/wiki/XcodeGhost</a>
This is precisely why I have auto-updates turned off. No minor security or bug updates are worth getting an all-out infection(or unexpectedly losing features).
I was affected by this. Funny how Malwarebytes wants to turn this into positive PR about how they reacted "quickly".<p>I installed just about every Android anti-malware app that I could find in late January, and none detected the bad app.<p>Finally by googling some of the ad domains that kept popping up, I found the forum discussion that they mention. In other words it took them about two months to react!<p>Edit: either it took forever or there are multiple barcode scanner apps that are affected and they didn't find all of them.
I found this behavior in the Barcode Scanner app by "the space team"<p>That was not one that was mentioned by the article<p>It's url: <a href="https://play.google.com/store/apps/details?id=com.qrcodescanner.barcodescanner&showAllReviews=true" rel="nofollow">https://play.google.com/store/apps/details?id=com.qrcodescan...</a><p>(See the reviews)
What I don't understand is why the internet permission (one of the most dangerous permissions in my opinion) is assumed to be always requested and not even reported when downloading an app. Sure, most apps need it (most of them for ads though) but at least warn me before installing like you do with other permissions like calls and sms.<p>But wait, there is more, that permission (and some others) are considered so harmless that if you install an app without it, and then the developer publish an update with it, play store will automatically update it without even asking! Remember this doesn't happen with 'dangerous' permissions, so apparently Google thinks accessing the internet is not dangerous at all.
QR Reader are load of everything. I went mad to find one a decent one for my parents’ android phone and apparently it doesn’t exists. So in a weekend I’ve created one without any kind of tracking, ads, permission, whatever. Here it is if you guys need one -><p><a href="https://play.google.com/store/apps/details?id=com.prof18.secureqrreader" rel="nofollow">https://play.google.com/store/apps/details?id=com.prof18.sec...</a>
Thinking about it, Apple seems like they'd have better dealt with this sort of issue in four ways:<p>* Stricter review process to catch this preemptively<p>* Stricter app isolation to limit impact without a vulnerability explicit<p>* Longer maintained and more forceful operating system updates to minimize the number of phones running with known exploits<p>* Likely removing/disabling app from phones and not just the app store
I wish Google would inform the users when they remove an app from Google Play due to it containing malware. I'm not sure if they also remove it remotely from the devices, I think they don't, because I once had an affected file explorer which then got removed from Google Play but not from my device.<p>The same goes for Chrome Extensions which have been removed from the Chrome Web Store. In that case, they get removed automatically from the browser, which is somewhat ok. I would prefer that they would get disabled without me being able to enable it again, and get labeled as malicious. Because how else can I verify that I once installed an extension or an app which then turned malicious?<p>Currently I know that either one of my or my dad's devices has something malicious on it, because I got an HTTP GET request to a URL whose full path is only known to our devices (and only via HTTPS).
My first ever mobile app was an experimental bit of Android Malware. It got demo'd by my colleague at Blackhat [1]. I'm definitely not a hacker, but with a few basic tricks I was able to create a pretty effective trojan which we then injected into a popular game (again only for experimental purposes, it was never released in the wild). In our lab we had literally millions of samples of Android malware, but for iOS we had only two (which only worked on jailbroken phones). Fun times.<p>1. <a href="https://www.softwaretalks.io/v/4047/black-hat-usa-2013-how-to-build-a-spyphone" rel="nofollow">https://www.softwaretalks.io/v/4047/black-hat-usa-2013-how-t...</a>
This is even worse when the app in question comes preinstalled on your Samsung tablet and can't be uninstalled (but afaik it can be stopped and downgraded).<p><a href="https://fossbytes.com/peel-remote-use-remove-smart-remote/" rel="nofollow">https://fossbytes.com/peel-remote-use-remove-smart-remote/</a>
"Truth be told, Peel Remote has been scrutinized for more than a year because of the company desperate measure to gain revenue. In 2017, the app introduced a malign ad practice of unethical lock screen ads and overlays."<p>My girlfriends tablet just started turning the screen on at random times. It took some time to find out which app causes this.
<i>Quote from Malwarebytes site: "Peter V. Jaspers-Fayer - Why does this article not contain the publisher and the icon of the app in question? There are many called "Barcode Scanner", and by omitting this information, you have caused unwarranted panic by users of innocent apps of the same name."</i><p>The fact that Google allows applications on Google Play to have identical/duplicate names is a significant ongoing problem as it causes considerable confusion.<p>I'm not against apps that have similar functions having identical (duplicate) filenames as this stops developers having to dream up ridiculous names that have little or no bearing to an app's function but it would make sense to separate the apps in some simple way that users could easily identify. For instance, apps with identical names could be flagged in many ways such as, say, Google providing a sequence number to the end of the filename. And I'm sure there are many other suitable ways I've not thought of.<p>As for the fact that Google lets malware onto Google Play and that it has happened many times demonstrates the fact that Google doesn't consider the matter of highest importance. That's to say, keeping malware off users' Android phones is not as important as making money from its advertisers.<p>If keeping malware off apps were equally important to Google then this is malware would have unlikely escaped Google's monitoring, as Google has just about every technical measure at its disposal to monitor apps for malware—and I'd venture to say that even its AI technology could be brought bear.<p>Clearly, if both issues aren't of equal importance in Google's eyes then it raises questions as to why Google keeps changing or adding certain features to its Android operating system in the name of security but which annoy users (and in effect violate their privacy—in that users' data, etc are even more transparent to Google whether the user likes it or not).<p>Day by day, Google is proving itself to everyone to be more of a worry.<p>—<p>Note: I'm one of those who have an app on my phone named <i>'Barcode scanner'</i> and it took me a while to determine (fortunately) that the one I have installed is not the app in question.
Meanwhile they block the Terraria developer's Google account, after which he's decided to cancel his game's port to Stadia. How are they so bad at this? Literally driving away legitimate developers while letting scammers run wild.
I noticed the package name com.qrcodescanner.barcodescanner. and went to <a href="https://qrcodescanner.com/" rel="nofollow">https://qrcodescanner.com/</a> which advertises another very popular barcode scanner wescan.<p>they also offer an sdk of their own for including a barcode scanner into your app. <a href="https://github.com/WeTransfer/WeScan" rel="nofollow">https://github.com/WeTransfer/WeScan</a><p>I'm not really sure they are connected (package names don't verify domain names AFAIK). Just curious.
I had fullscreen ads on unlock with another barcode scanner app - IDK if it was this one or another one, but I remember blaming several other apps before figuring out it was a barcode scanner and removing it. The really frustrating part was that trying to open the app switcher to find out what app this was coming from would also dismiss the ad somehow.
Crazy to see this on HN. I was affected by this malware earlier this month and have both reported the app via the app store phone UI and submitted a full report w/ screenshots via the play stores web interface. Absolutely insane that I can still download this app from the play store and the devs account hasn't been nuked.
I stopped using apps from companies or projects I don't know some time ago. Which left basically small local companies, the big global ones and FOSS-projects. This of course is not perfect but at least leaves some sort of accountability.
We've built a QR Code and Barcode Scanner that is fully privacy compliant. It focuses on product search and providing local and online prices but the QR code Scanning is incredibly fast here: <a href="https://play.google.com/store/apps/details?id=com.biggu.shopsavvy&hl=en_US&gl=US" rel="nofollow">https://play.google.com/store/apps/details?id=com.biggu.shop...</a><p>If you guys have any features you'd like to see in a stand alone QR code Reader, let us know.
There are so many different issues here.<p>Arguably manual curation doesn't scale to google play store or apple app store size and automated scanning only gets you so far.<p>You have several possible threats.<p>1. Apps that are malicious from the start.<p>Best addressed by better automated testing.<p>2. Apps that become malicious particularly when the app changes hands.<p>Best addressed by making this impossible. James/foo should never be transferred ownership should result in Jane/foo which users would have to download.<p>3. Apps that aren't malicious but include a component that is user hostile. Virtually always included for money.<p>Best addressed by just forbidding apps with ads. We wont do this but not much of value would be lost.<p>4. Apps that include a component that isn't malicious but itself becomes malicious later.<p>Requires due diligence by the developer. Arguably one could imagine better automated enumeration of the constituent components to discern what might have been compromised so that developers could have their apps automatically pulled and informed that they were compromised. One could also imagine a statutory fine for paid that earn developer revenue wherein their product harms users. This couldn't accrue to free apps without making foss impossible. Eliminating apps paid for with ads would eliminate a gray area.<p>An interesting point for those who presently avoid ad laden apps is whether your paid for apps are infected with the same potential malware vectors as the ad supported version as whether or not to show ads may be solely a function of an in app purchase you have made. Your paid for app might therefore be just as vulnerable.<p>What reasonable measures would one expect Google to actually take? Probably only reactive measures like removing this particular app while making no meaningful moves to correct any systemic problems. In the longer term one might expect them to do a better job of finding malware automatically.<p>If you value not getting hacked in the longer term it looks like this is insufficient. If for example Fdroid is insufficient in scope of applications then perhaps we should work on improving this situation as Google is unlikely to fix this for us.
Why is a barcode scanner app able to open a web browser and navigate to a page without user interaction (just by being installed)? That's the real question here.
The developer's street address, as shown in the malwarebytes screenshot, is obviously either incomplete or bogus. There's no city or country, and a weird unit number. Is Google Play really approving apps from such dubious sources?<p>Or does Google have the full address? Seems unlikely
We are the same guys want every app to be free. Do you expect bread to be free or coffee to be free?
Why we expect apps to be free even from google?<p>How do you think small app developers earn money by displaying ads?
But we want ads to be blocked and don’t want to pay money
What in the seven hells is this? Why on earth would any app <i>not running in the foreground</i> of my mobile device have the ability to launch a random web page?<p>Guess this is why some walled gardens look a lot nicer from the inside...
Simple scanner turns evil.. these kind of apps should have been offered by the respective OS, as a standard app. If the money involved are correct, then are the developers to blame?! I'm not sure to be honest.
Imagine if this app had opened the Chrome browser tabs to a specially crafted webpage that exploited a vulnerability in Chrome like the recent zero days in the V8 scripting engine.
I use this one from F-Droid:<p><a href="https://f-droid.org/en/packages/com.secuso.privacyFriendlyCodeScanner/" rel="nofollow">https://f-droid.org/en/packages/com.secuso.privacyFriendlyCo...</a><p>you can directly download the APK from that site, don't need an F-Droid client.<p>If you want an F-Droid client, i recommend Foxy Droid. Unfortunately lacks some features of the official one but way faster and nicer to use.<p><a href="https://f-droid.org/en/packages/nya.kitsunyan.foxydroid/" rel="nofollow">https://f-droid.org/en/packages/nya.kitsunyan.foxydroid/</a>
Does any know what SDK they were using? I work in adtech and would like to review traffic from this SDK and potentially block it.<p>Edit: Seems they're using MoPub and AdMob
Most apps on Android behave like a malware. The most annoying ones are those who randomly take over the screen and play ads with annoying music and you have no way to close it quickly and you don't know which app is displaying those. Only solutions so far is to actually disable apps one by one and see if the problem appear.
I think Google should remove all apps that do that.
My friend's phone who is not IT literate, essentially looks as the IE6 back in the day.
The OG Barcode Scanner app is getting absolutely throttled with negative reviews. But this posting seems to be about a clone app by a different developer.<p><a href="https://en.wikipedia.org/wiki/Barcode_Scanner_(application)" rel="nofollow">https://en.wikipedia.org/wiki/Barcode_Scanner_(application)</a><p><a href="https://play.google.com/store/apps/details?id=com.google.zxing.client.android" rel="nofollow">https://play.google.com/store/apps/details?id=com.google.zxi...</a>
I don't get why no barcode scanner app is shipped with Android. It's such a basic functionality. Edit: apparently it IS shipped on iOS and at least my Lineage OS default camera app has a QR code reader too.