A series of apparently innocent QR Code reader apps appear to have potentially compromised 500,000 users after malicious actors uploaded malware laced versions to Google Play.
According to a report from SophosLabs, seven QR code reader apps were found to contain adware called Andr/HiddnAd-AJ, which may well have avoided detection due to a stealthy trick of not activating for six hours after download. Once the deadline has passed, the malware starts serving up full-screen ads and opening ads on webpages, as well as sending users notifications with links to ads.
Lee Munson, Security Researcher at Comparitech.com told SC Media UK: “While the presence of adware-infected apps on Google Play is a major inconvenience to the half a million or so people duped into installing them, many will be relieved that the temporarily hidden payload was nowhere near as damaging as it could have been.
By waiting for six hours after first use, the malware hidden within the QR code readers was clever enough to circumvent Google's controls at the time but, now it has shown its hand, this means of worming bad apps onto the Play store is likely to be closed off, for now at least.
Despite the large number of people affected, official app stores should still be the go-to place for all installs though, as third-party sites have way less – if any – controls in place and malware is far more common away from the trusted supplier sites.”
The apps avoided detection by simply working as QR Code readers as advertised, so that users (and presumably Google Play's checks) were fooled, and in addition concealed the adware code within what looks at first sight like a standard Android programming library.
“By adding an innocent-looking “graphics” subcomponent to a collection of programming routines that you'd expect to find in a regular Android program, the adware engine inside the app is effectively hiding in plain sight”, said the Sophos researchers.
Ondrej Kubovic, security awareness specialist at ESET told SC Media UK that caution over installing apps from any source was key: “First, users should remove the infected apps from their device. Users are also recommended to install a reliable security software, scan their device and remove any remaining malicious code. To keep their Android device protected in the future, we would also recommend them to keep the device's operating system and apps up-to-date and also read reviews before installing a new app (mostly the negative ones, as the positive ones might be fabricated by the attacker).”
The IOC hashes of the infected apps are as follows - Google has removed them from Google Play.