Update: The Cam Scanner team acknowledged the malware on Twitter and released a statement confirming that they have fixed the issue by removing the 3rd party library. They also confirmed that a new version will be releasing soon and also gave a direct link to download the apk file for Android.
— CamScanner (@CamScanner) August 28, 2019
Original Story: Popular PDF creator app, Cam Scanner is riddled with a malware that can remotely hijack your Android device and steal data stored on it. The malware has been found in the free version of the app so if you’re using the paid version then you’re probably okay.
The app has been insanely popular among Android users and has over 100 million downloads. Unfortunately, the creators of the app have gone rogue as the app as researchers found a hidden Trojan-Dropper module within the app. However, researchers found the Trojan to be inside a 3rd party advertising library and not inside the app itself. This is possibly one of the reasons why the paid version of the app is safe.
The malware was found by researchers at Kaspersky who submitted their report to Google and the company took down the app from the Play Store.
The module extracts and runs another malicious module from an encrypted file included in the app’s resources.
As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.
Google has been fighting the uphill battle against malware and bad apps on the Play Store for a while now. The company has increased the scrutiny in recent years but apps still pass Google’s checks. Moreover, researchers at Kaspersky noted that it’s easy to target millions using popular apps and there’s a chance that apps might contain malware even though they have been downloaded from the official app store.
What we can learn from this story is that any app — even one from an official store, even one with a good reputation, and even one with millions of positive reviews and a big, loyal user base —can turn into malware overnight.
It’s always a good idea to read reviews and do your own due diligence before download even popular apps. We do recommend that you uninstall Cam Scanner immediately and wait for developers to give the all-clear signal before installing it back. We have reached out to the Cam Scanner team for comments on the issue. In the meantime, Microsoft has Office Lens on the Play Store that can help you scan and create PDF files with ease.