One of the most popular photo-scanning apps with OCR capabilities, CamScanner was recently found out to be riddled with nasty malware. 

An estimated 100 million of CamScanner users may be affected as a result of this threat. After a series of negative reviews on the Google Play Store by users who observed suspicious behavior on the app, Kaspersky researchers investigated and discovered the malicious components of the application. Reportedly, one of the app’s advertising libraries contained the malware component. 

Although the developers have removed the malware component from the app’s latest version, millions of users have been affected as a result of this malicious threat which could steal money off users in the form of paid subscriptions. 

According to the experts, the app had been distributing malware through a compromised third-party SDK called AdHub. The security researchers from Kaspersky named the malicious dropper component as ‘Trojan-Dropper’. Detected as Trojan-Dropper.AndroidOS.Necro.n, the malware component prompted Google authorities to remove the app from the Google Play Store. This particular malware was previously spotted in some other apps which came pre-installed on a few Chinese smartphones. 

Technical Analysis By Appknox

Here we explain how the dropper gets downloaded from the malign application and the IoCs one needs to identify the infected device.

The compressed file mutter.zip cannot be unzipped since the application encrypts it and whenever the Camscanner is run, the ZIP file gets decrypted and the malicious executable is run.

Corresponding code is responsible for decrypting the ZIP file when the Camscanner application is started. The file Duration.java contains the logic for decrypting the ZIP and unpacking the malware.

           file = Duration.fireman(context, "mutter.zip", "ugi");
           sources/com/freely/HandleLauncher.java
 
           public class Duration {
             private static void climate(InputStream inputStream, OutputStream outputStream, int i) {
             int i2;
             InputStream inputStream2 = inputStream;
             ....
           sources/com/finance/Duration.java

We had copied the java code to decrypt and ran it separately which gave us the dex file which can be decompiled to get the source code back using tools such as d2j and jadx.

On reversing the dex file, we can find that the dropper further downloads malicious files which compromises the device and does malvertising campaign on the users with affected devices. Kaspersky also found that this is a strain of Trojan-Dropper.AndroidOS.Necro.n which leads to intrusive advertising to steal money from users.

Furthermore, the IoC and C&C's are mentioned here.

High-Risk Vulnerabilities:

After a thorough security assessment of the CamScanner mobile app by Appknox experts, 5 high-risk components were also found:

1. Insufficient Transport Layer Protection: With a risk score of 8.1, the CamScanner app was found to be significantly vulnerable to insufficient transport layer issues. This type of vulnerability happens when the mobile app sends data to the servers over unsecured channels. This unprotected data could be easily sniffed while in transit.  
   
   
2. Disabled SSL CA Validation and Certificate Pinning: The application’s SSL CA Validation and Certificate Pinning were also disabled leading to unsafe data transfer between the app and the servers.   
   
   
3. Content Provider File Traversal Vulnerability: Content Providers act as a medium of data sharing between various applications in a device. This vulnerability allows other apps on the device to request sensitive information from CamScanner and hackers may also utilize this vulnerability to navigate across the user’s local file system. 
   
   
4. Derived Crypto Keys: The app recorded a risk score of 8.6 on this criterion as traces of derived or intermediate Crypto Keys were found in the app.  
   
   
5. Javascript CORS enabled in Webview: As a result of this vulnerability, any arbitrary URL could gain access to the CamScanner resources. 
           

Preventive Measures:

The CamScanner security incident has lessons for both developers and users as well. The developers slipped malicious content via advertising libraries and in order to keep a check on that, it becomes necessary to run SDK checks while integrating any advertising library into apps. 

The CamScanner app also had several high-risk vulnerabilities mentioned above. App developers need to ensure that their app holds ground on these basic security checks and ensure features like proper transport layer protection and SSL CA validation and certificate pinning to minimize unprotected data transfer over servers. Other vulnerabilities may be mitigated as well by iterating continuous security checks or by consulting trusted mobile app security testing vendors.      

For the users, it is essential to get rid of apps downloaded from untrusted sources and continuously monitor for suspicious activities on the trusted apps as well. Using an advanced anti-virus application may also be an option.    

Final Thoughts

Even though the developers at CamScanner promise to have fixed the malicious code in the latest update, numerous users with older versions of the app may still be on the verge of getting hacked. Most of the smartphone users trust Google Play Store and consider it the safest place to download applications, but the case with CamScanner proves it otherwise. 

Researchers believe that even trusted organizations like Google can’t check millions of applications thoroughly and as more and more updates come by, the job always remains an unfinished one.