A blog by Malwarebytes is raising alarm over a commonly downloaded Android app, causing a threat to users who currently have it installed on their devices.
According to the antivirus company, over 10 million users downloaded the Lavabird Barcode Scanner app since it was first released. Any users who still have the app installed could be suffering malicious side effects.
Malwarebytes first noticed the issue when several forum users began complaining of ads opening automatically in their default Android browser. Many of those users claimed not to have recently installed any new apps – and those who had all used the official Google Play Store.
Then, a forum user going by the name Anon00 discovered that the problem was originating with the long-standing Barcode Scanner app. At that stage, Malwarebytes added the app to its antivirus detection and Google pulled the app from its Play Store.
For users who previously installed the app, however, the update for the app (believed to have been pushed on December 4) could mean that their device is currently infected. As a result, they could be experiencing adverse effects.
According to Malwarebytes, the Lavabird Barcode Scanner was a perfectly safe and non-malicious app for most of its lifetime. This adds to the confusion and concern surrounding the app – because it means that it made its way onto a huge number of devices.
Malwarebytes points out that some of its users had the app installed for years before the latest update made it exploitative. In its blog post on the subject, Malwarebytes questions the motivation behind the sudden decision to update the app:
It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity? I guess we will never know.
According to researchers at Malwarebytes, "it is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect".
This reveals that while Google works hard to protect users and keep its app ecosystem clear of exploits, there are still problem areas that the company must deal with to prevent users from becoming infected.
On this occasion, the sheer number of people who installed the Barcode Scanner actually appears to have helped to bring the problem to light. Fringe app with fewer users, however, could theoretically suffer a similar update – while flying under the radar for an extended period.
Thus, Google must look closely at how it could uncover similar malicious updates in the future.
Could you be at risk?
What it is important to remember, is that while Google has pulled the app from the Play Store, it could still be causing repercussions for any user who continues to have it installed on their Android device.
This is concerning, because, due to the pandemic, consumers who didn't realize that the standard camera feature on their phone does the job may have downloaded the Lavabird app to scan QR codes to enter venues such as bars and restaurants.
Because Android users may have inadvertently installed the app, it is vital that everybody checks to see whether their device is infected.
Removing an app from the Google Play store does not necessarily mean it will be removed from affected mobile devices. Unless Google Play Protect removes it after the fact, it remains on the device. This is exactly what users are experiencing with Barcode Scanner. Thus, until they install a malware scanner like Malwarebytes for Android, or manually remove the app, it will continue to display ads.
As is always the case, we strongly urge all internet users to ensure that they have an up-to-date antivirus, with real-time protection installed on their device.
If you have been suffering from a higher prevalence of adverts and pop-ups since December, we recommend you check your device for the Barcode Scanner app – deleting it if present – and running a malware scan to ensure that no dangerous exploits remain.
Android users are also reminded that the malicious update for Barcode Scanner was signed with the same digital certificate as for previous non-infected versions of the app. This suggests that the Ukrainian app developer Lavabird was behind the malicious update, raising concerns about its other apps.
Thus, anybody who has Lavabird apps such as Titan Booster, Sworkout, Web Browser – Private Browser with a Free VPN, or Words Correction Keyboard is advised to remove those apps to avoid this suspicious app developer going forward.