back to article Android PDF app with just 100m downloads caught sneaking malware into mobes

An Android PDF maker with more than 100 million downloads from the official Play Store has been caught silently installing malware on victims' phones. Kaspersky's eggheads Igor Golovin and Anton Kivva claim CamScanner, an application that turns images into PDFs to share and edit, contains a library that quietly fetches and …

  1. Inventor of the Marmite Laser Silver badge

    "The Register has reached out to CamScanner's developer"

    No it sodding didn't. It CONTACTED CamScanners developer..

    And don't you forget it.

    1. Will Godfrey Silver badge

      Re: "The Register has reached out to CamScanner's developer"

      Absolutely!

      I always read that expression as retched - which is exactly what it makes me want to do.

      1. Anonymous Coward
        Anonymous Coward

        Re: "The Register has reached out to CamScanner's developer"

        It always reminds me of the phrase reach around , which makes HR comms interesting at times :D

        1. Doctor Syntax Silver badge
          Pint

          Re: "The Register has reached out to CamScanner's developer"

          "It always reminds me of the phrase reach around"

          This sort of around?---->

          1. Anonymous Coward
            Anonymous Coward

            Re: "The Register has reached out to CamScanner's developer"

            No Dr (!), one of these (NSFW btw, although helpfully it just suggested I buy a "reacharound" mug with the definition for my sister in law):-

            https://www.urbandictionary.com/define.php?term=reacharound

      2. JLV

        Re: "The Register has reached out to CamScanner's developer"

        Hey, at least they didn’t “touch base with” ;-)

    2. Bloodbeastterror

      Re: "The Register has reached out to CamScanner's developer"

      Woo hoo! I thought I was the only person in the Reg readership interested in proper English. Thank you... :-)

    3. Bronek Kozicki

      Re: "The Register has reached out to CamScanner's developer"

      There is a subtle difference between the two: "reach out" does not imply that the attempt was successful.

      1. Chris G

        Re: "The Register has reached out to CamScanner's developer"

        'Contacted' doesn't imply response either.

        'Reached out' however, implies corporeal physical movement towards the object, not electronic contact.

        1. tin 2

          Re: "The Register has reached out to CamScanner's developer"

          It also implies The Four Tops

          1. 's water music
            Coat

            Re: "The Register has reached out to CamScanner's developer"

            .

            .

            .

            .

            I'll be there

    4. dajames

      Re: "The Register has reached out to CamScanner's developer"

      "The Register has reached out to CamScanner's developer"

      No it sodding didn't. It CONTACTED CamScanners developer..

      Much as I despise this use of "reach out", I do think it carries an overtone, here, that "contacted" doesn't -- the fact that the attempt to contact the developer has apparently, so far, failed.

      Using "reached out" in this way is a clumsy attempt to save face by avoiding having to say "has not been able to contact, despite trying".

      Far better to say "we tried to contact the developer, but the bastard won't answer".

      1. Antonius_Prime

        Re: "we tried to contact the developer, but the bastard won't answer"

        I'd have a heck of a lot more respect and understanding if those lines were in the article.

        Bit more... down to earth... honest... about it.

    5. Doctor Syntax Silver badge

      Re: "The Register has reached out to CamScanner's developer"

      There are, of course, purists who insist that "contact" is only a noun and el Reg should have said "attempted to make contact with".

      JR-M probably has it on his banned list because his 2nd deputy nanny told him not to use that because her primary school teacher told her not to because her English teacher told her not to because Dr Johnson didn't define it as a noun. (Actually my old Pocket Oxford doesn't either but I'd guess a newer edition would.)

      1. Daniel 18

        Re: "The Register has reached out to CamScanner's developer"

        "Verbing weirds language"

        Thank you, Calvin and Hobbes.

        https://www.gocomics.com/calvinandhobbes/1993/01/25

  2. albaleo

    It has TRIED TO CONTACT, I think. But how hard did they try? And if it was down the pub, and the developer was propping up one end of the bar and our intrepid journalist the other end, maybe he did reach out, before falling over.

    1. Alan Brown Silver badge

      But how hard did they try?

      Based on past personal experience, email was sent 5-10 minutes before posting the story (at most)

  3. dank_army

    Infuriating

    Why does it need a third party to tell Google that one of the apps hosted on its own app store is dodgy? So Play protect is basically worthless then?

    "Scanning and verifying over 50 billion apps every day

    All Android apps undergo rigorous security testing before appearing in the Google Play Store. We vet every app and developer in Google Play, and suspend those who violate our policies. Then, Play Protect scans billions of apps daily to make sure that everything remains spot on. That way, no matter where you download an app from, you know it’s been checked by Google Play Protect."

    1. andy gibson

      Re: Infuriating

      "So Play protect is basically worthless then?"

      Often turned off so people can use third party TV and movie steaming apps which aren't in the Play Store.

      1. 's water music

        Re: Infuriating

        Often turned off so people can use third party TV and movie steaming apps which aren't in the Play Store.

        I'm not sure that there is a dependency between the Play Protect functionality and whether or not you enable sideloading. I suspect that play protect continues to scan the apps you have installed from the Play store. I would think that you implicitly accept some responsibility for assessing third-party sourced apps

    2. YourNameHere

      Re: Infuriating

      I was thinking the same thing...

    3. SVV

      Scanning and verifying over 50 billion apps every day

      50 billion apps, or 50 billion individual installations?

      If it's the former, the place must be awash with malware and crapware, scanning or no scanning. If it's the latter, then what action do they take on users' devices? Their website suggests the former, without any real clarity, so congratulations to the entire world population for writing several unique and useful Android applications every day!

    4. Anonymous Coward
      Anonymous Coward

      Re: Infuriating

      Google just by virtue of having the playstore, has delivered more malware to people than another source in the world (less maybe the chinese government). And still never sends anyone a notice when they remove it from the store.

      User: Hey I got malware from an app on your store, and all my data was stolen!

      Goog: Cool story bro, not my problem.

      User: you said it was safe, you verified it.

      Goog: Did I? suckerrrrrr.

      User: You F'd me over!

      Goog: App developer got paid, we got paid, you got laid. Welcome to life LOL. So yep.

  4. jonha

    How 'bout that?

    Install LineageOS, dont' install Google Apps and use (mostly) F-Droid as apk source.

    I have done and do this to all my phones and tablets (buying only devices that allow LineageOS to be installed) and I can say: it simply works.

    1. PTW

      Re: How 'bout Lineage?

      The only issue I've had with Lineage is there seemed to be only one dev supporting my ageing Xaiomi and he lost interest last year, so I've not even had a security update since January.

      But, other than that I highly recommend Lineage

      1. Anonymous Coward
        Anonymous Coward

        Re: How 'bout Lineage?

        Even if security stopped at one point, an outdated LineageOS will still give you more freedom than a typical outdated OEM rom.

    2. Cuddles

      Re: How 'bout that?

      "I have done and do this to all my phones and tablets (buying only devices that allow LineageOS to be installed) and I can say: it simply works."

      Which would be great if there was actually any support. Unfortunately, it's not available on the vast majority of phones, and even if you're lucky enough to have one that is supported, it may well not be in a month or two. It's great in principle that people are willing to give up their time to make something like that available at all, but there's little point in recommending it to people in practice because the chance of it actually being useful is close to zero.

      1. Anonymous Coward
        Anonymous Coward

        Re: How 'bout that?

        Which would be great if there was actually any support. Unfortunately, it's not available on the vast majority of phones...

        Similar to Google Pixel which has Google support which isn't available on the vast majority of the phones, 'official' LineageOS support isn't available on the vast majority. (Unofficial support is available everywhere in comparing to official support)

        Users picked Google Pixel knowing that it will be supported by Google.

        So users should also pick a device knowing that it will support LineageOS.

      2. jonha

        Re: How 'bout that?

        "Unfortunately, it's not available on the vast majority of phones, and even if you're lucky enough to have one that is supported"

        Part one of that sentence is not true and as to part two... well, buying LineageOS-compatible stuff is not down to luck or Santa Claus, it is a conscious decision I have taken and take. These items are admittedly often (but not always) a little more expensive but in the long run they save money and a lot of trouble.

        "there's little point in recommending it to people in practice because the chance of it actually being useful is close to zero."

        Funny. I have four mobiles under my control (Sony, Moto, Sammy) and all are on LineageOS. I have three tablets under my control and again, all are on LineageOS.

        I have no Google software on these phones and yet they are fully functional.

        What I would agree with is that many people do not know (and can't be expected to know) how to achieve this though they would want to do it.

        This is partly a reflection how badly the IT sector has let us down, especially in the last decade or so. Disclaimer: I am a developer myself.

  5. Anonymous Coward
    Anonymous Coward

    Advertising library

    "After analyzing the app, we saw an advertising library in it that contains a malicious dropper component"

    So, two pieces of malware then?

    1. DryBones

      Re: Advertising library

      Malware and advertising need to be easier to tell apart. I know what you're thinking, but it's true.

      Advertising wants to sell you things. Malware wants to sell you to things...

  6. bryces666

    shit- does that mean I'm screwed?

    I've been using camscanner for years, first on a Samsung note 3, excellent for scanning documents and saving them on the go.

    I've never noticed anything untoward, but maybe I should factory reset my current phone and start over...

    Any insight anyone?

    Also, any recommendations of safe alternative that can do the same job?

    Regards, Bryce.

    1. DryBones

      Re: shit- does that mean I'm screwed?

      I think? Google Drive app, the Create New has a scan option. Also Google Photoscan.

      1. Anonymous Coward
        Anonymous Coward

        Re: shit- does that mean I'm screwed?

        Isn't that going from the frying pan into the fire though?

      2. katrinab Silver badge

        Re: shit- does that mean I'm screwed?

        Or Microsoft Office Lense

    2. Intractable Potsherd

      Re: shit- does that mean I'm screwed?

      Bryce - go to www.camscanner.com and download the latest APK from there. There is also more information about the pwnage.

      1. Mark Morgan

        Re: shit- does that mean I'm screwed?

        Ah, that explains where the dodgy adds are coming from on my phone. And Avast didn't spot it!

  7. anthonyhegedus Silver badge

    I used to use camscanner on my iPhone.

    Why doesn't the article give the name of the developer? There might be more than one app with the same name.

    1. KegRaider

      Read the tech data.

      If you follow the link to the researchers website, they list it all. They even have the app icon.

      INTSIG if you just want to know.

  8. Anonymous Coward
    Anonymous Coward

    How did Kaspersky identify this ?

    I suppose it is too much to ask that their Android AV solution on someone's affected device phoned home with this ?

    Of those 100M downloads at lease one must have been running their security suite (in other words, don't just blame Google for missing this, you would like to think Kaspersky were suddenly inundated with reports of malware from their own product).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like