Experts from Kaspersky Lab found a dangerous virus on Google Play. It was found in the application CamScanner. At the same time, experts note that the software was downloaded about 100 million times.
The software recognizes text on photographed documents and creates PDF files. In the catalog the software can have other names, such as CamScanner - Phone PDF Creator or CamScanner - Scanner to scan PDFs.
Specialists noticed the application due to the fact that users have complained about the strange behavior of CamScanner. The reports were received more than once.
Later it turned out that the software was not initially infected with a virus. At some point, the developers switched to monetizing advertising, as well as introducing premium accounts. From that point on, problems began to occur in the application. It wasn't the software code itself that was infected with the virus, but rather an advertising library that had been added to CamScanner not so long ago. It is possible that the developer's collaboration with an unscrupulous advertiser was to blame.
The virus has already been identified. It is Trojan-Dropper.AndroidOS.Necro.n. It had previously been found on smartphones from China.
When the dropper got on the smartphone, it extracted another malicious module from an encrypted file stored in the app's resources and then launched it. Another module in the lineup was a bootloader Trojan. Its function was to contact a C&C server, and then download and install other malicious components.
The malware is capable of displaying intrusive ads and charging users for subscriptions.
At this time the application I Google Play is no longer available. Specialists reminded that CamScanner, if installed on the device, may still contain malicious code, which may be relevant in different software versions.