The Hacker News
Beware! Attackers can remotely hijack your Android device and steal data stored on it, if you are using free version of CamScanner, a highly-popular Phone PDF creator app with more than 100 million downloads on Google Play Store.

So, to be safe, just uninstall the CamScanner app from your Android device now, as Google has already removed the app from its official Play Store.

Unfortunately, CamScanner has recently gone rogue as researchers found a hidden Trojan Dropper module within the app that could allow remote attackers to secretly download and install malicious program on users' Android devices without their knowledge.

However, the malicious module doesn't actually reside in the code of CamScanner Android app itself; instead, it is part of a 3rd-party advertising library that recently was introduced in the PDF creator app.

Discovered by Kaspersky security researchers, the issue came to light after many CamScanner users spotted suspicious behavior and posted negative reviews on Google Play Store over the past few months, indicating the presence of an unwanted feature.

"It can be assumed that the reason why this malware was added was the app developers' partnership with an unscrupulous advertiser," the researchers said.

The analysis of the malicious Trojan Dropper module revealed that the same component was also previously observed in some apps pre-installed on Chinese smartphones.

"The module extracts and runs another malicious module from an encrypted file included in the app's resources," researchers warned.

"As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions."

Kaspersky researchers reported its findings to Google, who promptly removed the CamScanner app from its Play Store, but they say "it looks like app developers got rid of the malicious code with the latest update of CamScanner."

Despite this, the researchers advised users to just keep in mind "that versions of the app vary for different devices, and some of them may still contain malicious code."

It should be noted that since the paid version of the CamScanner app doesn't include the 3rd-party advertising library and thus the malicious module, it is not affected and is still available on the Google Play Store.

Although Google has stepped up its efforts to remove potentially harmful apps from Play Store in the last few years and added more stringent malware checks for new apps, legitimate apps can go rogue overnight to target millions of its users.

"What we can learn from this story is that any app — even one from an official store, even one with a good reputation, and even one with millions of positive reviews and a big, loyal user base —can turn into malware overnight," the researchers concluded.

Therefore, you are strongly advised to always keep a good antivirus app on your Android device that can detect and block such malicious activities before they can infect your device.

In addition, always look at the app reviews left by other users who have downloaded the app, and also verify app permissions before installing any app and grant only those permissions that are relevant for the app's purpose.

For more technical detail about the Trojan Dropper malware found in CamScanner and a full list of its indicators of compromise (IOCs) including MD5 hashes and its command and control server domains, you can head on to Kaspersky's report.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.