[German]I became aware of this security case via a Facebook post. It's about the Android app Barcod Scanner. It seems the app have been infected with an adware Trojan during one of the latest updates. Smartphones of affected users, opens suddenly random web pages in the browser app on their phones. Here is a brief summary of the case.
A post on Facebook
I came in a security group across a blog reader's post on Facebook on Saturday that immediately let my alarm bells ringing. The users reported that two of his Android devices opens suddenly random web pages in the browser app.
I have on my work phone (Android) for about 14 days, the phenomenon that constantly, even when the phone is in standby, tabs open in the browser with strange pages.
That I would have typed anything funny I can quite safely exclude, because I use the phone very rarely and if then only to make calls or rarely times WhatsApp.
Since today, the same happens on my private phone (Android). Sporadically, strange addresses open in the browser.
Unwanted apps I can not see in the system menu under Apps and also in the Playstore.
Does anyone have an idea where this comes from?
When I asked via PM, I got a response that the smartphone he uses for work is an Honor 6C Pro from Huawei. This reminds me on my blog post Cynos Android malware infects more than 9 million Huawei smartphones. However, the person affected stated that he had never used the Huawei store.
In addition, the person in question stated that the private cell phone was a realme 8 from oppo with Android 11. So the Huawei theory fell flat – and a supply chain attack like the one at Gigaset seemed unlikely to me. From this point on, I would have guessed an app that forces this behavior.
The person concerned then sent me the above screenshot and wrote: Such pages open sporadically in the browser. Even when the phone is unused in standby, throughout the day, even at night.
How to find the app?
When I asked the affected person about it, he said that he uses various apps, but there is nothing unusual about them. All apps were installed from the Google Play Store. The current version of Google Chrome is used as the browser on both devices. The user also writes that he does not remember typing anything questionable. Only links from Facebook that are opened in the browser could still flush something harmful onto the device. However, I am not currently aware of any malware for Android being distributed on Facebook.
In addition, it was said that the devices were on the latest available Android and all apps used on them were up-to-date. The person also stated that the apps had been in use on both devices and their predecessors for several years without any problems. There were in-app ads, but never the behavior described above.
In this situation, it is good to have the smartphone scanned for malware by antivirus app. He used Malwarebytes to scan and the malware Android/Trojan.HiddenAds.AdQRtd was found in the Android app QR Code Scanner. Malwarebytes has given this name and writes here:
Android/Trojan.HiddenAds is Malwarebytes' generic detection name for a large family of Trojans that are very commonly found on Android devices.
Symptoms: Aggressive ads are displayed and it is difficult for the end user to identify which app is displaying them. The adware is hidden and the user is not made aware of the ads during the installation.
According to the person concerned, the app in question is Barcode Scanner from Tech digital (see the image below) with over 1 million downloads.
The app was last updated on 11/9/2021. The affected person writes: This app has started opening these strange addresses in the browser since the last update in November 2021, can also be traced in the reviews. If you go to the reviews in the Google Play Store, you will find statements like:
Matthew Engstrom, November 16, 2021: BEWARE!! Since the app last updated on Nov 9 2021, each time I unlock my phone Chrome is the active browser with a link to get rid or malware or virus or to download a fix for something. I do not use Chrome and this app is mysteriously active even though it hasn't been used since moving to my new phone. App has been reported to Google, investigation pending.
Erica Hardee; December 3, 2021: DO NOT USE!Recently I've been noticing that when I close my phone's screen for a bit and the next time I open it chrome pops up with ads and messages saying I have a 27 viruses from visiting an adult site(?come on…).I see in my activity log that this app is used in times when I'm not on phone like when I'm asleep and at tge exact same time these sites are also in my activity log.It's even spelled wrong!Since I deleted it,all the issues stopped.I AM PISSED!Notice email change over the years
There are more reviews with similar text. The developers write:
Our app is absolutely free! We have advertisements and they are located in specially designated places. The PRO version has no ads, and also contains interesting features. Regards, developer
But this does not help those affected – the behavior outlined above is not tolerable. The example shows once again how quickly you can catch something even with Android apps from the Google Play Store.
German Gigaset Android Update Server probably delivers malware
Update on malware attack on Gigaset Android devices (April 6 2021)
Preliminary analysis of Gigaset malware attack through auto-installer in firmware
Malware infection of Gigaset Android devices: Analyses and options for action (April 8/9. 2021) – Part 1
Malware infection of Gigaset Android devices: Analyses and options for action (April 8/9. 2021) – Part 2
Gigaset: Roadblocks in cleaning up the malware attack (April 12, 2021)
Malware infection of Gigaset Android phones and the WhatsApp/SIM problem
Cookies helps to fund this blog: Cookie settings