An Android app with more than 100 million downloads from the official Google Play Store contained a backdoor that permitted the installation of any kind of malicious software without the phone user’s knowledge, Kaspersky researchers disclosed yesterday (Aug. 27).
The app, called CamScanner, lets you digitize text and create PDFs from documents by simply taking photographs of them, and was removed from the Play Store after Kaspersky notified Google of it. But the simple fact that it was in there at all shows how difficult — or, alternately, what a lousy job Google is doing — to keep malware out of the official Android app store.
If you’ve got a copy of CamScanner on your Android phone, uninstall it. If you’ve got good Android antivirus software on your phone, run a scan. If you don’t, get some.
On the upside, not everyone who installed CamScanner got the backdoor on their phones, especially if they didn’t bother updating the app.
“CamScanner was actually a legitimate app, with no malicious intensions whatsoever, for quite some time,” a Kaspersky blog posting yesterday said. “However, at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module.”
Igor Golovin and Anton Kivva, the Kaspersky researchers who documented the malware, theorize that CamScanner’s developer, INTSIG Information Co., Ltd., might not even have been aware of the infection.
“It can be assumed that the reason why this malware was added was the app developers’ partnership with an unscrupulous advertiser,” they wrote in the Kaspersky technical writeup.
That’s certainly possible. Many mobile apps have only limited control over where their ads come from, and malicious ad injection — “malvertising” — has plagued legitimate websites for many years.
But the upshot was that the backdoor — a “dropper” in information-security parlance — would open up a clandestine avenue to far-off servers, which could then push down any kind of software for installation on phones running CamScanner.
“The owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions,” Golovin and Kivva wrote.
Ironically, or perhaps tragically, the backdoor had been removed from the most recent version of CamScanner before Google kicked the app out of the Play Store, the researchers said. (An app that creates a “license” for the paid version of CamScanner is still in Google Play, as is an older version of the app called CamScanner HD.)
How to avoid infection
So how do you keep malware out of your Android phone when even the official Play Store can be infected?
First, check the user comments on every app before you install it. The Kaspersky researchers were tipped off to the CamScanner problem because “negative user reviews that ha[d] been left over the past month have indicated the presence of unwanted features.”
Second, check the permissions on the app. On a desktop or laptop, scroll all the way down on the app’s Play Store web page and click “View details” under Permission. On a phone or tablet, click “About this app” on the Play Store app page, scroll all the way down to “App permissions” and tap “See More.” If an app that doesn’t need to make calls, use audio or get your specific location takes those permissions anyway, that should raise red flags.
Third, install and use good Android antivirus software, as mentioned earlier. Kaspersky naturally recommends its own Kaspersky Internet Security for Android, which is pretty good, but we like Bitdefender Mobile Security and Norton Mobile Security either. Bitdefender even has a no-cost version called Bitdefender Antivirus Free for anyone who doesn’t want to pay $15 a year.