Infected Android App with 100M Downloads Found in Google Play

One infected smartphone among four clean phones.
(Image credit: Marcos_Silva/Shutterstock)

An Android app with more than 100 million downloads from the official Google Play Store contained a backdoor that permitted the installation of any kind of malicious software without the phone user's knowledge, Kaspersky researchers disclosed yesterday (Aug. 27).

The app, called CamScanner, lets you digitize text and create PDFs from documents by simply taking photographs of them, and was removed from the Play Store after Kaspersky notified Google of it. But the simple fact that it was in there at all shows how difficult -- or, alternately, what a lousy job Google is doing -- to keep malware out of the official Android app store.

If you've got a copy of CamScanner on your Android phone, uninstall it. If you've got good Android antivirus software on your phone, run a scan. If you don't, get some.

MORE: Best Android Antivirus Apps

On the upside, not everyone who installed CamScanner got the backdoor on their phones, especially if they didn't bother updating the app. 

"CamScanner was actually a legitimate app, with no malicious intensions whatsoever, for quite some time," a Kaspersky blog posting yesterday said. "However, at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module."

Igor Golovin and Anton Kivva, the Kaspersky researchers who documented the malware, theorize that CamScanner's developer, INTSIG Information Co., Ltd., might not even have been aware of the infection. 

"It can be assumed that the reason why this malware was added was the app developers' partnership with an unscrupulous advertiser," they wrote in the Kaspersky technical writeup

Screenshot of CamScanner HD page in Google Play Store website.

A screenshot of the CamScanner HD page, which has the same logo as the removed CamScanner app, on the Google Play Store website. (Image credit: INTSIG/Google)

That's certainly possible. Many mobile apps have only limited control over where their ads come from, and malicious ad injection -- "malvertising" -- has plagued legitimate websites for many years.

But the upshot was that the backdoor -- a "dropper" in information-security parlance -- would open up a clandestine avenue to far-off servers, which could then push down any kind of software for installation on phones running CamScanner.

"The owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions," Golovin and Kivva wrote.

Ironically, or perhaps tragically, the backdoor had been removed from the most recent version of CamScanner before Google kicked the app out of the Play Store, the researchers said. (An app that creates a "license" for the paid version of CamScanner is still in Google Play, as is an older version of the app called CamScanner HD.)

How to avoid infection

So how do you keep malware out of your Android phone when even the official Play Store can be infected? 

First, check the user comments on every app before you install it. The Kaspersky researchers were tipped off to the CamScanner problem because "negative user reviews that ha[d] been left over the past month have indicated the presence of unwanted features."

Second, check the permissions on the app. On a desktop or laptop, scroll all the way down on the app's Play Store web page and click "View details" under Permission. On a phone or tablet, click "About this app" on the Play Store app page, scroll all the way down to "App permissions" and tap "See More." If an app that doesn't need to make calls, use audio or get your specific location takes those permissions anyway, that should raise red flags.

Third, install and use good Android antivirus software, as mentioned earlier. Kaspersky naturally recommends its own Kaspersky Internet Security for Android, which is pretty good, but we like Bitdefender Mobile Security and Norton Mobile Security either. Bitdefender even has a no-cost version called Bitdefender Antivirus Free for anyone who doesn't want to pay $15 a year.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.