Researchers found a Trojan Dropper malicious module hidden within the Android app CamScanner downloaded over 100 million times by Google Play Store users.

The malicious component was found by Kaspersky security researchers Igor Golovin and Anton Kivva while taking a closer look at the insides of the CamScanner app following a deluge of negative reviews posted by users over the last few months,

As a confirmation to sudden increases in negative ratings and user reviews usually pointing out to something not exactly going right with an app, the researchers found "that the developer added an advertising library to it that contains a malicious dropper component."

Similar modules pre-installed on low-cost devices

This is not the first time this type of malicious module was discovered on Android smartphones, with pre-installed versions having been found on over 100 low-cost Android devices in 2018 and more than two dozen device models in 2016.

In both cases, the malicious component was used by the threat actors to push ads to the infected devices, while the Android smartphones and tablets found to be compromised also installed unwanted apps behind the users' back.

CamScanner Play Store entry

In this case, while CamScanner was initially a legitimate Android app using in-app purchases and ad-based monetization, "at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module," says Kaspersky.

The module dubbed Necro.n and detected as Trojan-Dropper.AndroidOS.Necro.n by Kaspersky's mobile anti-malware solution is a Trojan Dropper, a malware strain used to download and install a Trojan Downloader on already compromised Android devices which can be employed to infect the infected smartphones or tablets with other malware.

When the CamScanner app is launched on the Android device, the Necro.n dropper decrypts and executes malicious code stored within a mutter.zip file discovered in the app's resources.

"As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions," found the researchers.

Executing the malicious payload

Google removed the app from the Play Store after Kaspersky's researchers reported their findings but, as they also add, "it looks like app developers got rid of the malicious code with the latest update of CamScanner."

"Keep in mind, though, that versions of the app vary for different devices, and some of them may still contain malicious code," they conclude.

A full list of indicators of compromise (IOCs) including MD5 hashes of Necro.n malware samples distributed by the attackers and command and control (C2) server domains used in this campaign is available at the end of Kaspersky's report.

This is yet another incident affecting Play Store users in August, with researchers previously discovering a clicker Trojan bundled within over 33 apps distributed via Google's official Android store and downloaded more than 100 million times.

Also, just last week, an Android app including the spyware capabilities of the open-source AhMyth Android RAT managed to circumvent Google Play Store's automated malware protection twice over a period of two weeks as found by ESET researchers.

Update August 29, 08:01 EDT: The CamScanner team told BleepingComputer in an official statement that the Necro.n Trojan Dropper malicious component was introduced into their app's codebase via a third party SDK provided by AdHub.

INTSIG, the company behind the CamScammer app also answered several of our questions via e-mail:

1. How did the malicious component found by Kaspersky’s researchers end up in CamScanner's codebase?

A: We have integrated a 3rd party sdk offered by AdHub. Apparently, the sdk tricked us and Google Play as well. 2. Have you published an updated version available without the malicious code?

A: Yes. It’s on our official website: www.camscanner.com. We are still discussing with Google Play regarding to our case. 3. Will you continue to use the ad framework that compromised the CamScanner app?

A: Adhub sdk has been fully removed and banned forever. We will take legal action against them. At same time, we are taking down all ad sdks and are re-evaluating ad-revenue model. 4. Have you been contacted by Google or Kaspersky before the researchers published their report in the Necro.n Trojan Dropper malicious component and CamScanner was removed from Google’s Play Store?

A: No. 5. Do you have any official statement for CamScanner​​​​​​​'s userbase?

A: Yes. It has been posted on Camscanner Facebook Page or Camscanner Twitter Page.

CamScanner's official statement published on Twitter is embedded below: