
CamScanner, a malicious Android app with more than 100M downloads in Google Play - GordonS
https://www.kaspersky.com/blog/camscanner-malicious-android-app/28156/
======
Abishek_Muthian
PlayProtect is not detecting and warning users about CamScanner even when it
has been removed from the Playstore.

I've tested it via manual scan on PlayProtect as well, no dice. Isn't that
what it is supposed to do?

Has anyone ever got any app flagged by PlayProtect? If it's useless, then
rather I would disable it than to give it access to all my installed apps.

Google Engineers here, please ping your Google Play team reg PlayProtect.

Edit: More detail.

~~~
AnssiH
Do you have one of the affected versions installed? The versions since July
30th are not affected (according to
[https://news.ycombinator.com/item?id=20826213](https://news.ycombinator.com/item?id=20826213)).

~~~
hathawsh
I have auto-update turned on, yet I just discovered CamScanner was apparently
stuck on an unsafe version from July. Now CamScanner seems to be removed from
the play store, yet I had to remove the app manually. Play Protect still
thought everything was fine. I have a Google Pixel running stock firmware. I
guess it's time for a factory reset.

------
chkuendig
Guess what - this was caused by a third-party ad network:
[https://twitter.com/CamScanner/status/1166733219841986561/ph...](https://twitter.com/CamScanner/status/1166733219841986561/photo/1)

~~~
Zenst
That is and for many, always an issue. Adverts help pay for content, be that a
game or website - people literally make a living that way that it has become a
bit of a defacto approach.

But when you are tied to including some code that goes off to a site that you
have no or very little control over, you are outsourcing part of your company
(web or app) into the hands of another in which, if they mess up. You are the
the one that takes all the PR flack.

After all, if somebody slips an exploit into an AD hosted on a 3rd party site
and offered up by a reputable AD serving company. Whilst the blame and fault
may clearly be with the AD serving company for not screening what they offer.
You are the ones that from a consumer and as it also transpires - the media as
the one to blame. As we all know, corrections and retractions are always less
viewed and eyeballed than the initial drama article based upon a small picture
view of the issue/drama, instead of the root cause. Even with the best most
respected media sites in the World, such retractions/corrections never get the
same attention as the initial article of drama and doom.

That is one problem that even today, still prevails - media does an article
with the finger pointing at one direction and the truth, even when it comes
out and updated, never tracks as well as the initial finger pointing and is
very much the old saying of "if enough mud is slung, some will stick".

{EDIT spelling and below}

With that all said, ad-blocking by the likes of [https://pi-
hole.net/](https://pi-hole.net/) is more than just avoiding AD's, it's about
privacy and more and more so - security.

~~~
andybak
(sorry to be picky about an irrelevance but this one grates on me. "Ad" is an
abbreviation not an acronym or initialisation - so no need to capitalize it as
"AD". Same for "app" over "APP". Makes things hard to read for me as it sounds
like someone shouting occasional words in an otherwise normal sentence!)

~~~
mattmar96
I normally wouldn't do this, but it's _initialism_ not initialisation

~~~
Zenst
I'm loving such educational feedback - full stop.

------
a254613e
So what exactly did this malware do most of the time?

In the original kaspersky report it says "For example, an app with this
malicious code may show intrusive ads and sign users up for paid
subscriptions.".

So how/did it sign up users for paid subscriptions without user interaction?
Does android allow something like that? Aren't all apps sandboxed?

In general how is the android sandboxing and permission system nowadays? I'm
considering switching back to it from iOS, but reports like this are kinda
discouraging.

~~~
panpanna
I don't know this particular case, but "malware" seems to be used to describe
"adware" these days by some blogs to generate more clicks.

Android is just as secure/unsecure as iOS. Some recent "malware" campaigns
targeted both platforms but in general Apple silently removes them while
Android gets scrutinized to death.

Edit: to answer your questions, these apps still operate within the limits of
the sandbox. Which is maybe a reason the term "malware" should not be used.

~~~
scarface74
This is clearly not the case. Not only is Android’s permission system more
permissive, most Android phones don’t get updates as frequently and definitely
not as far long as iOS.

~~~
panpanna
In modern Android phones, the core system is updated one a month [if needed -
which is often the case during the first year]. Android applications
(including things like mail and browser) and a large part of the OS is updated
immediately via the store.

The permission system is being updated and apps are being rejected for bad
user of permissions (check Reddit for the SMS permission stories)

~~~
scarface74
And as far as the parts of the OS that don’t get updates?

------
pjc50
Ironically this is right next to "Google just deleted my nearly 10-year-old
free and open-source Android app" on the front page. False negatives _and_
false positives.

~~~
higginsc
At a sufficiently large scale, even rare events happen constantly.

~~~
ignoramous
Related news.yc discussion:
[https://news.ycombinator.com/item?id=14038044](https://news.ycombinator.com/item?id=14038044)

------
habosa
I've been using this app for years and also telling other people to use it, so
this sucks.

If anyone else is looking for a replacement there's a Microsoft app called
"Office Lens" that seems to do a really nice job and is as safe a bet as
anything.

~~~
emmelaich
It's amazing to me that so few people are not aware of the excellent scanning
apps from Google.

They work better, you're not expanding your privacy risk ... and they're free
and integrated with Google docs etc.

* namely, Drive Scan and Photoscan

~~~
GordonS
Never heard of Google Drive Scan, but I can't find it in the Play Store
either?

~~~
shthed
It's built into the Google Drive app, press + and scan.
[https://support.google.com/drive/answer/3145835](https://support.google.com/drive/answer/3145835)

------
sp332
Just to clarify the headline: the app didn't have malware when most of the
users installed it. A recent update added the malware.

~~~
m463
in regard to iOS:

When tencent bought the iOS version, the "user contract" was grossly changed.

Just uninstall it and use the native iOS Notes app to scan your .pdf
documents.

~~~
Daniel_sk
Wow, I never knew you can use the Notes app to scan documents.

~~~
snazz
If you add the Notes shortcut to your Control Center, you can hard-press on it
and tap Scan Document to very quickly be able to scan a document. It does a
really good job too!

------
GordonS
For the past few days I've been seen spam events in my calendar about "free
iPhones" and "webcam girls" \- I couldn't figure out where they were coming
from. I have CamScanner installed, so presumably that's the source...

Now, I can remove CamScanner (which is a shame, it's a really good app), but
how can I ensure the trojan is also removed?

I tried the Avast AntiVirus app, but it didn't find anything.

What does everyone else do for AV on Android?

~~~
dantheman
The calendar thing is probably this: [https://lifehacker.com/how-to-prevent-
spammers-from-infiltra...](https://lifehacker.com/how-to-prevent-spammers-
from-infiltrating-your-google-c-1837539886)

check your emails

~~~
oh_sigh
I got hit by this exact one(free iphone X) recently, and couldn't find
anything in my email.

Surely, that kind of email would just look like spam, so isn't the correct
solution for google to just not auto-add calendar events if their source email
is spam?

~~~
abrookewood
Yep, my wife got exactly the same thing. Apparently those entries will appear
in your calendar even if the email was sent to spam. You have to configure
gmail to not automatically add the entries.

~~~
wolfd
This seems like a pretty big oversight on Gmail's part.

------
jimrandomh
Does anyone have information on affected and unaffected version numbers? I
have a version of this installed, but it's an old one, and may not have
updated to the malware one because I disabled automatic updates. (Specifically
because I was afraid of this, in fact.)

~~~
tabjsina
May 22, 2019: 5.10.6.20190522 – safe

June 6, 2019: 5.11.0.20190611 – safe

June 14, 2019: 5.11.3.20190614 – safe

June 16, 2019: 5.11.3.20190616 – unsafe

June 24, 2019: 5.11.5.20190624 – unsafe

July 10, 2019: 5.11.7.20190710 – unsafe

July 23, 2019: 5.12.0.20190723 – unsafe

July 25, 2019: 5.12.0.20190725 – unsafe

July 30, 2019: 5.12.0.20190730 – safe

August 8, 2019: 5.12.3.20190809 – safe

August 14, 2019: 5.12.3.20190814 – safe

August 16, 2019: 5.12.5.20190816 – safe

August 20, 2019: 5.12.5.20190820 – safe

Source:
[https://www.reddit.com/r/Android/comments/cwk0y4/camscanner_...](https://www.reddit.com/r/Android/comments/cwk0y4/camscanner_booted_from_play_store_after_discovery/eyc0vin)

~~~
asveikau
Any speculation why they would only leave in the malicious code for about a
month? Changed their mind? Done without full knowledge? Achieved some high
value heist and rolled it back?

~~~
jeroenhd
An update to an ad library is what caused the malicious code in the first
place. Presumably either the infected library was updated again or the
developers switched libraries.

The developers behind this app did not add any malicious code they wrote
themselves. The attack either came from the ad library or the ad library was
hacked.

~~~
asveikau
If it's the case that it was accidental I feel bad that the app was pulled
rather than only vulnerable versions forced off. Although I suppose it would
be hard to find assurances that it won't happen again.

------
blisterpeanuts
Rather than disappear it from the Store entirely, it would be nice if Google
could leave a placeholder with a warning; at least it would serve an
educational purpose.

Also, does the Play Store app have a way to notify users of a banned app that
is still installed? I decided to check my wife's phone proactively, but I
don't think she would otherwise have had a clue of malware (but has been
getting weird and annoying pop-up ads).

~~~
saagarjha
> Rather than disappear it from the Store entirely, it would be nice if Google
> could leave a placeholder with a warning; at least it would serve an
> educational purpose.

This would also make the Play Store look bad.

~~~
luckylion
Which would also be fitting, wouldn't it? Google missed it and dropped the
ball.

------
buildzr
> So a dropper might be used to install malware that steals banking
> credentials or generates fake advertising clicks or signs up for fake
> subscriptions.

This is basically wrong, you can't modify a browser or charge someone's card
without breaking out of the sandbox.

Worst case they could burn your cellular data or encrypt your photos and such
if you gave it permission.

Is there any evidence they maliciously used this or was it probably just in
there so they could drop more creepy ad code?

~~~
nisa
> without breaking out of the sandbox.

Every Android Security Advisory I looked at contained at least one often
multiple Elevation of Privilegues or straight Remote Code Execution holes - my
Android One smartphone usally gets the updates 20-35 days _after_ the release
of the Advisory - I'm the only one in my wider family that even got a
smartphone that still receives monthly security updates at all. Most of them
are stuck on an old Android version with years old patch-levels. So I doubt
this is hard at all. I have no idea if there are public exploits for these
issues but they probably exist.

------
tripzilch
So does the ad network just get away with this? Isn't it criminal to spread
malware like this? Seems they were in a serious business relation with
CamScanner, not some seedy underground place.

Do other apps run the same ad library, do they run the same risk?

------
doggydogs94
Maybe Google should pay more attention to their own ecosystem and less focus
on embarrassing other vendors.

~~~
panpanna
I too wish they should stop using their resources to find security problems
Apple should have found themselves.

But I very much disagree this is about embarrassing Apple. In fact, Google is
doing them a huge favor.

(The iMessage bug for example could have been turned into a worm and infected
ALL iPhones on the planet in matter of minutes if it was found by blackhat
hackers instead. Apple should be thankful)

~~~
snazz
Project Zero _is_ doing Apple a huge favor. Google isn’t a single organism;
Project Zero isn’t taking away resources from the Android division. And it’s
not like Project Zero doesn’t look for Android vulnerabilities, it’s just that
iOS is a much more interesting target from a security standpoint because it’s
widely considered to be actually secure (not to mention that people actually
run the latest version of it).

I think Fuchsia can’t come fast enough for an opportunity to break backwards
compatibility and catch up with the rest of the world on security.

(I also think that Google needs to put some more humans in the Play Store
review process, but as we all know Google despises using humans when they can
automate a process.)

~~~
panpanna
If we only consider security, Fuchsia is another horrible use of resources.
How many Android issues are due to kernel bugs?? Of those, how many are due to
Google using is own heavily modifed version of an outdated kernel?

Agreed on humans, Google needs more humans and fewer robots.

------
flyGuyOnTheSly
Can an "app with Malware" access my Google Authenticator credentials? Or read
my screen while I am viewing them?

~~~
jeroenhd
Google auth credentials: not without root (which malware might get if your
device isn't up to dage ons security patches)

Read screen: not without permission, even then not on protected screens,
unless the malware has gained root access

If the app doesn't get root, the Android sandbox should protect you
sufficiently against attacks on the key store of Google Authenticator.

However, if you copy the code to the device clipboard, the malware might read
the code from there.

------
panpanna
> CamScanner was actually a legitimate app, with no malicious intensions
> whatsoever, for quite some time. It used ads for monetization and even
> allowed in-app purchases. However, at some point, that changed, and recent
> versions of the app shipped with an advertising library containing a
> malicious module.

IMO, this is more a legal matter than a technical one.

Google needs to sue this company, not engage in a whack-a-mole game with their
AI algorithm and useless scanner.

~~~
GordonS
That's a little presumptuous - isn't it likely that CamScanner was somehow
compromised? This could happen in the source code or in the build and release
pipeline.

~~~
gdfasfklshg4
Then it is a police matter...

~~~
panpanna
Yeah, we can't just remove the app and think that would fix the issue.

Otherwise this is bound to happen again.

------
thebruce87m
Is this just a non issue on iOS? If so, why?

~~~
0942v8653
I had the CamScanner app on my iPhone for quite some time, then uninstalled
when I launched it and saw (IIRC) Chinese text appear. I'm assuming that
ownership changed around that time, and if the Android and iOS apps have the
same owner, I wouldn't trust it either.

An iOS trojan would have slightly more limited impact, but if (for example)
you gave the app "Access to your Photos" in order to save something, the app
would still be able to read all of your photos and potentially send them back
to home base as it chooses.

~~~
aitchnyu
I guess its time to disclose transfers and sales of mobile apps and browser
extensions to end users.

------
godshatter
Malicious code found in ad networks, but I still get downvoted every time I
complain that a given website was unusable by me because after trying to
enable some (hopefully safe) javascript domains it still wouldn't render in a
usable form.

There is a problem here. Trying to protect yourself from third-party malware
running on your machine breaks half the damn web because of our over-reliance
on javascript frameworks and ad networks. We have to find a better way.

------
jimbo1qaz
I am not surprised that CamScanner included a malicious advertising SDK,
considering Exodus Privacy shows it has 17-19 trackers:
[https://reports.exodus-
privacy.eu.org/en/reports/search/com....](https://reports.exodus-
privacy.eu.org/en/reports/search/com.intsig.camscanner/)

------
cannedslime
Anyone remembers when the android play store wasn't ranked by how much revenue
google got out of it? Remember when even google employees put out their own
apps free of ads like solitare etc. But all these free, ad-less apps
mysteriously either disappeared from play store or got sent to the very bottom
of every search query?

------
PunksATawnyFill
So what do they do?

Revoke the app and developer account of that guy who wrote the free transit-
mapping app for Montreal.

Google: hypocrisy on a colossal scale.

~~~
makomk
On the other hand, remember that guy whose complaint about Google
termininating his developer account "for no reason" made the HN front page a
couple of weeks back? [https://medium.com/@tokata/how-google-play-terminated-
a-deve...](https://medium.com/@tokata/how-google-play-terminated-a-developer-
for-no-reason-e4d760e9f472)

According to his blog post, his "anti-piracy system" used "custom techniques
including dynamic bytecode loading from a local app resource", the exact same
technique used by this malicious code to hide from detection.

------
anandkunwar
"Scam Cancer", a friend once called it. I suppose he was right.

------
env123
Nice advert by Kaspersky in partnership with CamScanner

~~~
aclsid
I seriously doubt that CamScanner wanted that kind of publicity. As for
Kaspersky, they are like gun makers, selling you a false/real sense of
security depending on who you ask.

------
Deimorz
Blogspam of [https://www.kaspersky.com/blog/camscanner-malicious-
android-...](https://www.kaspersky.com/blog/camscanner-malicious-android-
app/28156/)

(Forbes contributor posts are almost always blogspam)

~~~
scarface74
As if Kaspersky itself isn’t spamming.

 _To make sure you never find yourself in such trouble, use a reliable
antivirus for Android app and scan your smartphone from time to time. (The
paid version of Kaspersky Internet Security for Android scans automatically.)_

~~~
nvr219
Inbound marketing is literally the opposite of spamming

