If your Android phone or tablet has suddenly started showing lots of ads or its browser has been popping open on its own, a rogue app called Barcode Scanner may be to blame.
Malwarebytes detailed in a blog post last week how its forum users tipped off researchers about Barcode Scanner, an app that had been installed by more than 10 million people over several years before it started doing shady things after an update in early December 2020.
Google subsequently yanked the bad Barcode Scanner app from the Google Play Store. Several other apps with that same name — let’s call them the “good” Barcode Scanners — are still there. If the bad Barcode Scanner is on your phone or tablet, you’ll want to uninstall it. (You’ll also want to make sure you’ve got one of the best Android antivirus apps installed.)
Malwarebytes calls what the bad Barcode Scanner did “malicious.” To us, it sounds like the app became more adware than malware.
From what Malwarebytes describes, the app started forcing users’ default Android browsers (this would be Google Chrome on most devices) to open new pages pointing to online ads, then put them foremost on the device’s display without the user’s request.
That’s pretty annoying, but it’s a long way from being real Android malware that steals sensitive personal information or drafts your device into an Android botnet. The ad-ridden update got past Google Play’s screeners by hiding the dodgy parts of its code.
Malwarebytes said the Barcode Scanner in question was developed by a company calling itself LavaBird Ltd., which makes at least four other apps still in Google Play and whose incomplete street address implies it’s based in a rather expensive part of central London. Here’s a picture of what the Google Play app entry looked like before the app was kicked out.
However, archived versions of the Google Play Store URL provided by Malwarebytes show a different developer, one based in India and named, well, Barcode Scanner.
The old and new versions of the Barcode Scanner app have consistent version numbers, and both cite identical numbers of installs and Android system requirements.
It looks like the original Barcode Scanner developer may have sold the app to another party, who then injected may have injected adware.
How to tell if you’ve got the bad Barcode Scanner, and how to remove it
The actual Android app ID is “com.qrcodescanner.barcodescanner”, but Google doesn’t make it easy to view an installed app’s ID without bouncing you to the Google Play Store website. The Play Store page for this particular app has been taken down.
Probably the easiest way to see whether you have the bad Barcode Scanner installed is to go to Settings > Apps. Look for an app called Barcode Scanner. If it’s not there, you’re good.
If there is a Barcode Scanner app, then you need to make sure which Barcode Scanner it is. Tap the app listing in Settings, then tap Advanced. Tap App details.
At this point, you should be taken to the Barcode Scanner’s page in the Google Play app. If the page just keeps loading and nothing comes up, it implies there’s no listing in Google Play. You can presume you’ve got the bad app, and you’ll want to go back a couple of steps to the app listing page in Settings and uninstall the app.
If you do get a Google Play app page, then double-check the app developer’s name. It should be right under the app’s name at the top of the page.
If it the developer name says LAVABIRD LTD., then go back to the app listing page in Settings and uninstall the app. If it says something else, then it’s one of the half-dozen other Barcode Scanner apps and it’s safe to leave it installed.