CamScanner Advertising Dropper in Google Play (Aug 27, 2019)
Security researchers at Kaspersky have discovered malicious code in an Android application that has over 100 million downloads on Google Play. The app, a mobile PDF creator application called CamScanner, contains within the advertising library a malicious dropper component. Detected as Trojan-Dropper.AndroidOS.Necro.n, the module functions to download and launch a payload of malicious servers. According to researchers at Kaspersky, owners of the module can manipulate an infected device to show intrusive advertisements and to steal money by charging mobile accounts for paid subscriptions. These findings were reported to Google, and the app was removed from the Google Play marketplace.
Recommendation: Google has since removed the malicious application from Google Play. All applications should be carefully researched prior to installing on a personal or work device. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors, and should routinely checked for updates.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.