Android app with over 10 million installs suddenly becomes adware — what to do [updated]
Barcode Scanner app began showing ads after recent update
Updated with additional information.
If your Android phone or tablet has suddenly started showing lots of ads or its browser has been popping open on its own, a rogue app called Barcode Scanner may be to blame.
Malwarebytes detailed in a blog post last week how its forum users tipped off researchers about Barcode Scanner, an app that had been installed by more than 10 million people over several years before it started doing shady things after an update in early December 2020.
- Millions of Android devices threatened by botnet malware — what to do
- The best Android antivirus apps
- Plus: Beware links to Discord's website — it could be malware
Google subsequently yanked the bad Barcode Scanner app from the Google Play Store. Several other apps with that same name — let's call them the "good" Barcode Scanners — are still there. If the bad Barcode Scanner is on your phone or tablet, you'll want to uninstall it. (You'll also want to make sure you've got one of the best Android antivirus apps installed.)
Malwarebytes calls what the bad Barcode Scanner did "malicious." To us, it sounds like the app became more adware than malware.
From what Malwarebytes describes, the app started forcing users' default Android browsers (this would be Google Chrome on most devices) to open new pages pointing to online ads, then put them foremost on the device's display without the user's request.
That's pretty annoying, but it's a long way from being real Android malware that steals sensitive personal information or drafts your device into an Android botnet. The ad-ridden update got past Google Play's screeners by hiding the dodgy parts of its code.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Malwarebytes said the Barcode Scanner in question was developed by a company calling itself LavaBird Ltd., which makes at least four other apps still in Google Play and whose incomplete street address implies it's based in a rather expensive part of central London. Here's a picture of what the Google Play app entry looked like before the app was kicked out.
However, archived versions of the Google Play Store URL provided by Malwarebytes show a different developer, one based in India and named, well, Barcode Scanner.
The old and new versions of the Barcode Scanner app have consistent version numbers, and both cite identical numbers of installs and Android system requirements.
It looks like the original Barcode Scanner developer may have sold the app to another party, who then injected may have injected adware.
UPDATE: Our friends over at The Register remembered that the British government makes it easy to look up the details of any company registered in the UK.
It turns out the London address that LavaBird Ltd. claims is accurate, although it's likely just a forwarding service as there are dozens of other companies registered at that same address.
LavaBird appears to have been registered in London in March 2020 by a 23-year-old Ukrainian man who lives in Kyiv. The Register also found a related website that proclaims, "We sell Android mobile traffic!", which is never a good sign for an app developer.
UPDATE 2: LavaBird got in touch with Malwarebytes to insist that they were not the ones who had injected malware into Barcode Scanner. Rather, LavaBird said, they were the intermediaries in a transfer of ownership from the app's original developers to a third party called "The Space Team."
LavaBird said their name was registered as the developer for a time, but that actual control of the app code passed directly from the original developer to The Space Team.
Malwarebytes did some digging into the Internet Archives and off-road app stores and found that the app's registered developer on Google Play did in fact change from LavaBird to The Space Team in early December. The app was removed from Google Play sometime in January.
"Ultimately, I believe LavaBird’s claims," wrote Malwarebytes' Nathan Collier. "We write this in hopes of clearing LavaBird’s name."
How to tell if you've got the bad Barcode Scanner, and how to remove it
The actual Android app ID is "com.qrcodescanner.barcodescanner", but Google doesn't make it easy to view an installed app's ID without bouncing you to the Google Play Store website. The Play Store page for this particular app has been taken down.
Probably the easiest way to see whether you have the bad Barcode Scanner installed is to go to Settings > Apps. Look for an app called Barcode Scanner. If it's not there, you're good.
If there is a Barcode Scanner app, then you need to make sure which Barcode Scanner it is. Tap the app listing in Settings, then tap Advanced. Tap App details.
At this point, you should be taken to the Barcode Scanner's page in the Google Play app. If the page just keeps loading and nothing comes up, it implies there's no listing in Google Play. You can presume you've got the bad app, and you'll want to go back a couple of steps to the app listing page in Settings and uninstall the app.
If you do get a Google Play app page, then double-check the app developer's name. It should be right under the app's name at the top of the page.
If it the developer name says LAVABIRD LTD., then go back to the app listing page in Settings and uninstall the app. If it says something else, then it's one of the half-dozen other Barcode Scanner apps and it's safe to leave it installed.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.