back to article Barcode scan app amassed millions of downloads before weird update starting popping open webpages...

Barcode Scanner, a popular Android app, slipped undesirable code into an update in early December, an update that had the potential to reach more than 10m devices though actual distribution is believed to be far less. Several weeks later, Google removed the app from Google Play. Those who downloaded the software and accepted …

  1. needmorehare
    Thumb Up

    This was inevitable. But Android handled it well.

    ...and it won't be the last time either. Thankfully, Android pulls all the stops to make sure malware gets minimal privileges. Separate UIDs, separate SELinux contexts (same types, separate categories) and in the future, separate namespaces and seccomp-bpf to limit syscalls.

    I fear the day someone deliberately modifies a popular freeware desktop app on Linux/Windows/macOS and actually slurps data en-masse. Desktop systems need proper hardening ASAP.

    1. IGotOut Silver badge

      Re: This was inevitable. But Android handled it well.

      Yeah.....thats right. It not like privileges tend to be all or nothing.

      It's took ten years to get even basics right...and lets not even mention the location bullshit when "off" actually means "sort of off".

    2. JassMan
      WTF?

      Re: This was inevitable. But Android handled it well.

      I don't quite understand why you lumped Linux in with Windows/macOS. There are 2 major differences between Linux software and that written for Android/Windows/macOS.

      The first is that nearly all Linux software is not only open source, but that it is peer reviewed before being packaged and included on the distribution servers for any particular flavor.

      The second is the ethos of the authors. In general, authors of FOSS are interested in users privacy, not selling their details to anyone prepared to pay for nefariously obtained data. FOSS authors also tend to write software for the good of mankind and if users like to make a donation for good software, then all well and good but the authors are generally not in the business of extracting money by evil means.

      1. tcmonkey

        Re: This was inevitable. But Android handled it well.

        Upvote for the second part of your comment, but after god knows how many ancient bugs that pop up years later I think the 'peer review' part of the argument is objectively bullshit. Sure they COULD be reviewed, but either nobody is actually doing it or they're not doing an especially good job.

        1. Anonymous Coward
          Anonymous Coward

          Re: This was inevitable. But Android handled it well.

          1) Anyone could have reviewed it.

          2) Therefore somebody must have reviewed it.

          3) So I don't need to.

          Unless you can prove that open source code has been competently reviewed, it cannot be any more trustworthy right now than closed source. Reviewing the code weeks after it had been released when people are using packages built from it is too late.

      2. Phil O'Sophical Silver badge

        Re: This was inevitable. But Android handled it well.

        In general, authors of FOSS are interested in users privacy, not selling their details to anyone prepared to pay for nefariously obtained data.

        "in general" people are nice, but it only takes a few bad apples to create problems, and those are just as prevalent in the Linux FOSS world as they are in the Android/Windows/Mac ones. It would be very naive to think otherwise.

  2. Pangasinan Philippines

    Get it for free!

    Why can't Android have this app package included in the distro?

    I always wonder how these 'free' apps make their existence worthwhile.

  3. YetAnotherLocksmith Silver badge

    But which app is the bad one?

    As ever, it is another bad app with a common name! If the Play Store did just one simple thing to boost security, it would be to give every App a unique store ID! Then this sort of story could say "Barcode scanner, program ID Y6D88" and then all us humans could tell which exact program was the bad one!

    I recall when one of the popular "flashlight" apps went bad, and there were about 1000 apps called the same name. Stop it, Google!

    You'd also be able to recommend a specific app, instead of the current ludicrous "search 'xyz' in the Play store" gamble.

    1. Richard Tobin

      Re: But which app is the bad one?

      Yes, this is a problem. The article says "LavaBird's now-banished Android app shouldn't be confused with ZXing Team's Barcode Scanner that remains in the Play Store." But that app has lots of similar complaints. Does it really have the same problem, or have people just submitted complaints about the wrong one by mistake?

      1. BenDwire Silver badge
        Go

        Re: But which app is the bad one?

        It seems that LavaBird copied ZXing's source, and added the malware to it. The original one is OK (and hasn't been updated for years anyway).

        Have a look at github

      2. ibmalone

        Re: But which app is the bad one?

        I've got ZXing installed and not seen this, it's still on the play store and was last updated in 2018, so my guess is people just searching for Barcode Reader to leave bad reviews and not noticing it's a different publisher to the one they had (particularly as the malicious one has been removed).

        1. SewerSide

          Re: But which app is the bad one?

          I had ZXing installed, and started getting full screen ads when I unlocked my phone last December. After a few days of checking, found other people suspicious of ZXing, so I uninstalled, and the ads went away. So I'm one of the people leaving bad reviews, and I meant to do it on ZXing.

          No idea how it happened when it hasn't updated in years though.

          1. ibmalone
            Alien

            Re: But which app is the bad one?

            Confusing!

      3. diodesign (Written by Reg staff) Silver badge

        "people just submitted complaints about the wrong one by mistake?"

        Yes, apparently so. The bad one got taken off the Play Store but not people's phones. So people went to the Play Store to complain about the pop ups in the software still on their device, and trash the wrong app.

        Bit of a mess.

        C.

    2. Soruk

      Re: But which app is the bad one?

      It is com.qrcodescanner.barcodescanner

  4. Missing Semicolon Silver badge
    Unhappy

    Only when somebody notices

    Once again, Google pulls malicious apps when somebody else notices them.

    To do their own malware investigation would be "too expensive" (== eat into our profits).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like