The affected app is called CamScanner, which has more than 100 million downloads in Google Play, and is a very popular phone-based PDF creator app that comes in a free (ad-supported) and in a paid version. While the malicious module doesn’t actually reside in the code of CamScanner Android app itself, it was introduced in the PDF creator app as part of a 3rd-party advertising library. “CamScanner was actually a legitimate app, with no malicious intensions whatsoever, for quite some time. It used ads for monetization and even allowed in-app purchases. However, at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module,” the researchers said in a blog post. Kaspersky security researchers Igor Golovin and Anton Kivva found the malware in the free version of CamScanner app after several users spotted suspicious behaviour and left negative reviews on the app’s Google Play page over the past month with warnings to avoid the app. It appears that the developers added a new advertising management module that contained the code “Trojan-Dropper.AndroidOS.Necro.n”, which were also found in some apps preinstalled on smartphones sold in China. It can be assumed that the malware was added due to the app developers’ partnership with an unscrupulous advertiser. The module is a trojan dropper, which means that “the module extracts and runs another malicious module from an encrypted file included in the app’s resources. This “dropped” malware, in turn, is a Trojan-Downloader that downloads more malicious modules depending on what its creators are up to at the moment,” researchers warned. “As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.” The researchers reported their findings to Google, who promptly removed the free version of the app from its official Play Store. Soon after, the developers of the app too removed the malicious code from the application with the latest update. “It looks like app developers got rid of the malicious code with the latest update of CamScanner. Keep in mind, though, that versions of the app vary for different devices, and some of them may still contain malicious code,” the researchers warned. However, the paid version of the app continues to remain on the Play Store, as it doesn’t include the 3rd-party advertising library (malware). For more detailed analysis about the Trojan-Dropper malware found in the CamScanner app, you can read Kasperky’s report here. If you are using the free version of the CamScanner app on your smartphone, it is advisable to uninstall the app from your Android right away to be safe! Also, we strongly recommend you to keep a good antivirus app on your Android device to regularly scan and block any malicious activities from infecting your device.