Half a million infected with malware via Google Play QR code apps
Half a million infected with malware via Google Play QR code apps

A series of apparently innocent QR Code reader apps appear to have potentially compromised 500,000 users after malicious actors uploaded malware laced versions to Google Play.


According to a report from SophosLabs, seven QR code reader apps were found to contain adware called Andr/HiddnAd-AJ, which may well have avoided detection due to a stealthy trick of not activating for six hours after download. Once the deadline has passed, the malware starts serving up full-screen ads and opening ads on webpages, as well as sending users notifications with links to ads.


Lee Munson, Security Researcher at Comparitech.com told SC Media UK: “While the presence of adware-infected apps on Google Play is a major inconvenience to the half a million or so people duped into installing them, many will be relieved that the temporarily hidden payload was nowhere near as damaging as it could have been.


By waiting for six hours after first use, the malware hidden within the QR code readers was clever enough to circumvent Google's controls at the time but, now it has shown its hand, this means of worming bad apps onto the Play store is likely to be closed off, for now at least.

Despite the large number of people affected, official app stores should still be the go-to place for all installs though, as third-party sites have way less – if any – controls in place and malware is far more common away from the trusted supplier sites.”


The apps avoided detection by simply working as QR Code readers as advertised, so that users (and presumably Google Play's checks) were fooled, and in addition concealed the adware code within what looks at first sight like a standard Android programming library.


“By adding an innocent-looking “graphics” subcomponent to a collection of programming routines that you'd expect to find in a regular Android program, the adware engine inside the app is effectively hiding in plain sight”, said the Sophos researchers.


Ondrej Kubovic, security awareness specialist at ESET told SC Media UK that caution over installing apps from any source was key: “First, users should remove the infected apps from their device. Users are also recommended to install a reliable security software, scan their device and remove any remaining malicious code. To keep their Android device protected in the future, we would also recommend them to keep the device's operating system and apps up-to-date and also read reviews before installing a new app (mostly the negative ones, as the positive ones might be fabricated by the attacker).”


The IOC hashes of the infected apps are as follows - Google has removed them from Google Play.


10e3ceb69f1e4818ebd5e481f9c86c076cd15052559553fdf1a52a00a8059208
12b9cff2408db664f136194b13424f2b2372979a66b1cbd2a9aba7fae0adb22c
161cf72020cf3b45726c2416c444bfbef37dd6e833b693fbd379752828f7d762
2a3a20788f04d5db1818a671d9076ce9374a526bb85c3eefc25fd7f9b584afef
8e4750fcf8bee1fe6e7204ab66c7decba6495c8ab82167fa901a32d0e7e7c87b
c0f8d15340d3b3d7a0e3e29a8b78323a446a5af91aedafde1d6ac03abd9fd8e5
Cf378c1ce9556007f290025d83d1552b8a9b8f73d86a7db200a47d41c8b9c51f