Android Malware Infects QR Reader Apps Amassing 500,000 Downloads On Google Play


If your Android phone has suddenly started bombarding you with advertisements, you might the victim of malware, and specifically a strain that recently infiltrated Google Play by disguising itself as a bunch of handy utilities. Researchers at security firm Sophos discovered the tricky malware, saying that infected apps amassed over half a million downloads before Google removed them.

Six of the booby-trapped apps claimed to be QR code readers, while another billed itself as a smart compass. All of them actually worked as advertised. To further mask the scent of foul play, the hidden adware in each of the infected apps would not fire up right way, "lurking innocently for a few hours before unleashing a barrage of ads," Sophos says. In addition, the adware part of each app was embedded in what looked at first sight to be a standard Android programming library.

"By adding an innocent-looking “graphics” sub-component to a collection of programming routines that you’d expect to find in a regular Android program, the adware engine inside the app is effectively hiding in plain sight," Sophos added.

Despite the outward appearance of being an innocent app, the QR readers and smart compass were up to no good. They bombarded Android users with advertising web pages, and also sent them Android notifications, including ones with clickable links in an attempt to generate ad revenue for the devious developers who were behind the ruse.

The good news here is that Google has removed the offended apps from its Play Store. However, it's concerning that they managed to slip past Google's vetting process in the first place, and makes you wonder what else might be lurking in plain sight.

"Google’s app vetting process is far from perfect, but the company does at least carry out some pre-acceptance checks. Many off-market Android app repositories have no checks at all—they’re open to anyone, which can be handy if you’re looking for unusual or highly specialized apps that wouldn’t make it onto Google Play (or trying to publish unconventional content)," Sophos says.

The bottom line is that even though Google doesn't catch all rogue applications, you're still better off downloading from Google Play than to trust a third-party app repository.