Trend Micro researchers have discovered yet another collection of adware apps, including malicious barcode reading apps for the Android platform. Both apps were available on the Google Play Store at the time of their analysis, and have amassed millions of installations. The apps started as legitimate barcode reader apps in 2018 and began testing ad-serving functionality a bit later. Trend Micro first detected them in 2019, but their behavior then wasn’t as sophisticated as it ended up being later. The names of the apps are “Barcode Reader” and “QR & Barcode Scanner,” and their icons are as shown below. If you have these apps installed on your devices, remove them immediately.
As reflected in the user reviews, the apps continued to operate as barcode readers but engaged in background action as well. By looking at other offerings from the same developers, the researchers figured that they were dealing with a set of 51 distinct apps that had identical behavior and were part of the same adware campaign. Some of these apps were distributed from outside the Play Store, others were identified as malware and removed by Google, and a few like the barcode scanner duo remained on the official Android store for long.
These apps initiate a background service that disguises itself with the package name “com.facebook.” This service is pushing ads in 15-minute intervals, and at the same time, it receives what looks like random data from its C2 server. This data is commands, ad IDs, and configuration information that guide the adware on what to do. The user has difficulty figuring out where these ads originate from, what is actually running in the device, and why the screen seems to be flashing every 15 minutes.
This behavior is the effect of opening an ad and closing it right away. This is done purposefully, as the adware is still making money from “the view” of the ad while the user is unlikely to realize the “fake impression” operation. The screen flash looks more like a hardware/panel issue rather than anything having to do with a malware app. That is especially when the user isn’t actively using the device since the adware continues to fetch, display, and close ads during that time as well. Even if the user were to investigate what’s running during the flashes, they would get a fake app name and icon, as shown below.