Scanner or Scammer: Analysis of CamScanner Vulnerability by Appknox

One of the most popular photo-scanning apps with OCR capabilities, CamScanner was recently found out to be riddled with nasty malware. 

An estimated 100 million of CamScanner users may be affected as a result of this threat. After a series of negative reviews on the Google Play Store by users who observed suspicious behavior on the app, Kaspersky researchers investigated and discovered the malicious components of the application. Reportedly, one of the app’s advertising libraries contained the malware component. 

Although the developers have removed the malware component from the app’s latest version, millions of users have been affected as a result of this malicious threat which could steal money off users in the form of paid subscriptions. 

According to the experts, the app had been distributing malware through a compromised third-party SDK called AdHub. The security researchers from Kaspersky named the malicious dropper component as ‘Trojan-Dropper’. Detected as Trojan-Dropper.AndroidOS.Necro.n, the malware component prompted Google authorities to remove the app from the Google Play Store. This particular malware was previously spotted in some other apps which came pre-installed on a few Chinese smartphones. 

Technical Analysis By Appknox

Here we explain how the dropper gets downloaded from the malign application and the IoCs one needs to identify the infected device.


Screenshot 2019-09-01 at 8.26.46 PM


The compressed file cannot be unzipped since the application encrypts it and whenever the Camscanner is run, the ZIP file gets decrypted and the malicious executable is run.

Corresponding code is responsible for decrypting the ZIP file when the Camscanner application is started. The file contains the logic for decrypting the ZIP and unpacking the malware.

           file = Duration.fireman(context, "", "ugi");

public class Duration {
private static void climate(InputStream inputStream, OutputStream outputStream, int i) {
int i2;
InputStream inputStream2 = inputStream;

We had copied the java code to decrypt and ran it separately which gave us the dex file which can be decompiled to get the source code back using tools such as d2j and jadx.

Screenshot 2019-09-01 at 9.16.42 PM

On reversing the dex file, we can find that the dropper further downloads malicious files which compromises the device and does malvertising campaign on the users with affected devices. Kaspersky also found that this is a strain of Trojan-Dropper.AndroidOS.Necro.n which leads to intrusive advertising to steal money from users.

Screenshot 2019-09-01 at 9.22.01 PM

Furthermore, the IoC and C&C's are mentioned here.

High-Risk Vulnerabilities:

After a thorough security assessment of the CamScanner mobile app by Appknox experts, 5 high-risk components were also found:

  1. Insufficient Transport Layer Protection: With a risk score of 8.1, the CamScanner app was found to be significantly vulnerable to insufficient transport layer issues. This type of vulnerability happens when the mobile app sends data to the servers over unsecured channels. This unprotected data could be easily sniffed while in transit.  

  2. Disabled SSL CA Validation and Certificate Pinning: The application’s SSL CA Validation and Certificate Pinning were also disabled leading to unsafe data transfer between the app and the servers.   

  3. Content Provider File Traversal Vulnerability: Content Providers act as a medium of data sharing between various applications in a device. This vulnerability allows other apps on the device to request sensitive information from CamScanner and hackers may also utilize this vulnerability to navigate across the user’s local file system. 

  4. Derived Crypto Keys: The app recorded a risk score of 8.6 on this criterion as traces of derived or intermediate Crypto Keys were found in the app.  

  5. Javascript CORS enabled in Webview: As a result of this vulnerability, any arbitrary URL could gain access to the CamScanner resources. 

Preventive Measures:

The CamScanner security incident has lessons for both developers and users as well. The developers slipped malicious content via advertising libraries and in order to keep a check on that, it becomes necessary to run SDK checks while integrating any advertising library into apps. 

The CamScanner app also had several high-risk vulnerabilities mentioned above. App developers need to ensure that their app holds ground on these basic security checks and ensure features like proper transport layer protection and SSL CA validation and certificate pinning to minimize unprotected data transfer over servers. Other vulnerabilities may be mitigated as well by iterating continuous security checks or by consulting trusted mobile app security testing vendors.      

For the users, it is essential to get rid of apps downloaded from untrusted sources and continuously monitor for suspicious activities on the trusted apps as well. Using an advanced anti-virus application may also be an option.    

Final Thoughts

Even though the developers at CamScanner promise to have fixed the malicious code in the latest update, numerous users with older versions of the app may still be on the verge of getting hacked. Most of the smartphone users trust Google Play Store and consider it the safest place to download applications, but the case with CamScanner proves it otherwise. 

Researchers believe that even trusted organizations like Google can’t check millions of applications thoroughly and as more and more updates come by, the job always remains an unfinished one.  


Published on Sep 13, 2019
Abhinav Vasisth
Written by Abhinav Vasisth
Abhinav Vasisth is a certified ethical hacker and the security research lead at Appknox, a mobile security suite that helps enterprises automate mobile security. Abhinav has been a critical member of Appknox for 5 years, reinventing the standards of mobile app security against evolving threats. He is highly regarded in the industry for his expertise, speaks at various security conferences like PHDays, and has collaborated with numerous enterprises to safeguard their digital assets.
When he's not outsmarting hackers, he listens to metal music or is lost in books.


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now