“When good apps go bad” seems to be the name of the digital game nowadays. The Great Suspender browser extension recently showed its true colors, and now joining it in malware purgatory is the longtime Android favorite “Barcode Scanner” app—despite its more than 10 million installations.
Our usual advice applies, with one important caveat: If you’ve installed Barcode Scanner on your Android device and Google hasn’t already removed the app on your behalf, now’s as good a time as any to get rid of it. However, make sure you’re getting rid of the right one. Malwarebytes’ recent report describes the Barcode Scanner app from Lavabird:
“…in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions. Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.”
There’s another Barcode Scanner app, from ZXing, that doesn’t come with malware (as of this writing). It’s probably the Barcode Scanner app you’re thinking of, as it’s been available for Android for practically as long as the operating system has has existed. It’s fine to use, even though it’s getting review-bombed to hell because people assume it’s the malware app of the same name. Sigh.
How can you check which is which? If you can’t tell from the app icon, you can always pull up Settings> Apps & Notifications > See all… apps > Barcode Scanner, and then tap on Advanced > App details, which should take you to the listing in the Google Play Store. (The steps for your specific Android device might differ slightly). If the Google Play Store listing doesn’t exist, you have the bad Barcode Scanner app, and you should remove it right now.
And if you’re wondering if there’s anything you could have done about the malware-filled Barcode Scanner app? Not really. If an app has built an established presence on the Google Play Store, offers a useful service, and hasn’t been an issue for however many years it’s been around, there’s nothing that will tip you off about a developer’s intent to take advantage of all that goodwill for nefarious means.
Sure, you’ll notice that something is strange when your device starts acting up—a browser being launched without any interaction on your part, in this case—but it’ll be tricky to pinpoint what’s causing that problem. Generally speaking, you’ll want to see which of your apps have been recently updated and start digging around, but it’s also possible that an app that updated months ago is just now triggering some kind of malware mechanism or other shady practice (with the hopes that it won’t get caught).
It probably wouldn’t hurt to install an app like Malwarebytes’ Anti-Malware and run it from time to time; this can at least alert you if apps on your device are acting newly suspicious. You don’t even need the premium version of the app: Regular free scans should be fine (along with the app’s Privacy audit feature). You can also consider Sophos Intercept X, the advertising-filled Avast Antivirus, and plenty of others.
While I feel like it’s a rare situation to have an app goes rogue like this, and probably one that doesn’t warrant a real-time scanner running on your device, it never hurts to have a few such tools sitting around in case your phone starts doing something strange. If it does, do some scanning, check to see which apps have recently updated, and conduct some web searches of your own to see if you can identify the issue. Odds are good that if your phone is acting spammy, there’s an app to blame.