Security Analysis of QR/Barcode Apps Finds Malware
Cyber security expert Gary Miliefsky takes down a number of rogue QR code apps found in the Google Play store that are silently communicating your personal data to foreign countries!
By Gary S. Miliefsky, Cyber Security Expert, CISSP® and CEO of SnoopWall
Public Company Apps:
Many of these QR code and barcode scanners come from legitimate sources like eBay, Zxing, Scan Inc, and DroidLa. Despite this, SnoopWall still deems many of them voluntary creepware. The reason for this is that many have intrusive permissions that allow them to geolocate you, read your contacts, access USB storage, read your call log, make phone calls, and even record audio. Most of these permissions are legitimate, as most of these apps allow the user to generate information like phone numbers, contacts, and locations as scan-able QR codes.
Indeed, these companies are using those permissions to make their own apps more profitable; whether that be through stronger targeting of ads, doing analyses of which parts and features of their app seem most effective, adding new features that need said permissions, or other reasons for collecting user data.
For example, in DroidLa's privacy policy for their QR code scanner, they even state regarding personal identifiable information:
“Information That You Provide Us: We receive and store personal information you provide us in any way, such as by telephone or by electronic mail. This information may include your name, address, e-mail address, telephone number, and mobile device information.
We may automatically receive and store certain other types of information whenever you interact with us. For example, our servers might track the type of mobile phone or Web browser you are using, where you travel within the Site/App, and the page to which you link from the Site. This type of collective data enables us to figure out how often our customers use parts of the Site/App, so we can make improvements and changes to the Site and App so that it may best serve as many customers as possible.”
So you can trust these apps as much as you would trust the companies that make them. So long as you don't mind sharing your data with them, and don't mind how they're using it, you should have nothing to worry about. The biggest concern here is the possibility of one of these companies suffering a data breach by hackers who target them because of all the data they collect on so many consumers.
Third-Party Apps:
Of more concern are the third-party applications available on the Play Store. Just in the top 12 there are 3 that stand out as malware:
- QR Code Scan & Barcode Scanner, by pickwick santa. #4 in the Play Store
- QR Barcode Scanner, by VillaCat. #7 in the Play Store
- QR Code Scan & Barcode Scanner. #11 in the Play Store
The first red flag for suspicion are easily seen in their Play Store listings:
- None of them have websites, just a gmail address which anyone can make.
- Only the first has a privacy policy, which is a very poorly written wiki page on GitHub that barely scratches the surface as to why it requests the permissions it is using, see: https://github.com/pickwicksanta/QR-Code-Scan-Barcode-Scanner/wiki/Questions-&-Answers
- All of these QR code tools share an almost identical description for their app, and appear to be copy/pasted with minimal differences. Also, you can see this text is very poorly written. It all appears to be done by the same person or threat actors.
Once we looked closer at these apps, we were able to determine that all three of these apps were sending encrypted data to one or more IP addresses in China. The same addresses in China!
They also were all using the Zxing api library to query email contacts. While this is a normal feature of the Zxing library – used to convert a contact into a QR code – it would not be out of the realm of possibility for the makers of these apps to have altered the library code before obfuscating it to covering their tracks.
Additionally, the maker of the second app – QR Barcode Scanner – also has an app called “Private Diary Notes,” an app with full network access and the ability to send SMS messages. We found this app was also sending encrypted data to China.
Our final determination is that these three apps, which have over 11 million users, are almost definitely malware. At worst, they appear to be part of a data collection/phishing scheme. At best they are mobile malvertizing apps made to generate as much ad revenue as possible, even if that means intruding upon potentially sensitive data. Ultimately they are CREEPWARE!
We strongly recommmend uninstalling any of these QR scanning apps, as well as any others from the Play Store that share any similarities with the above. Our investigation continues and we will produce a threat report in more detail including what we find on the iTunes store for iOS QR scanning apps. Ring the alarm bells if you have any of these we described in more detail installed on your Android device.
Gary S. Miliefsky is an IT/cyber security expert and the CEO of SnoopWall, a cutting edge counter-intelligence technology. He recently blew the lid on how the Russian, Chinese and Indian hackers are behind the topflashlight appsspecifically designed to collect and expose your personal information. Gary also advised the National Infrastructure Advisory Council (NIAC) which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace.
Subscribe to the Bar Code News - daily, weekly or once a month. We never spam and we never share your email address. Your privacy is respected.
Other QR code related stories: