CamScanner, a popular app used to scan PDF documents, was reportedly spreading malware. The app has been around since 2010, and it has been downloaded more than 100 million times. As the Russian antivirus firm Kaspersky discovered, the app recently began spreading malware on Android devices. Google has since pulled CamScanner from the Google Play Store.
The malicious code was delivered via an ad library. The trojan resulted in “intrusive ads” and signed users up for paid subscriptions. It was also designed to connect to the user’s server and download additional code. According to Kaspersky, recent updates to the CamScanner app have apparently removed the malware.
As ZDNet points out, CamScanner has 1.8 million, mostly positive reviews, on Google Play. Kaspersky began investigating the app after a batch of negative reviews appeared. The incident is a reminder that even popular, longstanding apps are not safe from malware attacks.
The company has relied on ads and in-app purchases to earn revenue from CamScanner. However, according to researchers at Russian antivirus firm Kaspersky, recent versions of the app included a new advertising library that contained a Trojan designed to deliver malware to Android devices.
Kaspersky notes that the “malicious code may show intrusive ads and sign users up for paid subscriptions.” Intrusive ads are pesky, but no consumer wants to pay for subscriptions they never signed up for.

The so-called trojan dropper is configured to connect to the attackers’ servers, download additional code, and then execute that code on Android devices with the app installed.
The digital universe is doubling every two years, and it will grow from 4.4 trillion gigabytes to 44 trillion gigabytes between 2013 and 2020. Accordingly, finding a way to manage this influx of data is now a top priority on every IT and storage…Research provided by TechRepublic Premium.
The app is currently unavailable in the Google Play store, which is the safest place to install Android apps, but its corresponding iOS version is still available on Apple’s App Store.
The incident looks more like a case of developers accidentally using a malicious ad library, which are frequently found to be embedded in otherwise legitimate apps.

One ad library, called BeiTaPlugin, recently began shipping with 238 Google Play apps and affected 440 million users. And after those apps were pulled by Google, other Chinese Android app developers tried hiding the same library in another 60 apps that were again removed by Google.
“It can be assumed that the reason why this malware was added was the app developers’ partnership with an unscrupulous advertiser,” noted Kaspersky researchers Igor Golovin and Anton Kivva.
Kaspersky notes that the app developers appeared to have removed the malicious code in more recent updates to the CamScanner app.
But the case upends the usual rule that users can judge an app by user reviews. On Google Play it has 1.8 million reviews, weighted heavily towards five out of five stars. Similarly, reviews on Apple’s App Store are generally glowing.
However, Kaspersky started investigating the app after researchers started noticing a batch of recent negative reviews on Google Play.
“What we can learn from this story is that any app — even one from an official store, even one with a good reputation, and even one with millions of positive reviews and a big, loyal user base —can turn into malware overnight. Every app is just one update away from a major change,” Kaspersky researchers said.
CC Intelligence says it has now removed all the advert SDKs not certified by Google Play from its app and is releasing a new version of CamScanner.
The company is inviting users affected by the issues to get in contact for a direct upgrade and also provides a link in the statement published on its website to download the new version.
CC Intelligence said the advert SDK provided by a third-party violates its own security policy and it would be taking immediate legal action.
“Fortunately, after rounds of security checks, we have not found any evidence showing the module could cause any leak of document data,” CC Intelligence said.