A few days ago, Barcode Scanner app made it to the news for potentially infecting millions of users with malware. The disaster happened when this legitimate app rolled out a malicious update that contained the malicious code. While the original developers initially seemed responsible, it now turns out the fiasco occurred because of the new owner of the app.
What Happened To Barcode Scanner App?
In a recent blog post, Malwarebytes Labs has shared updates about the Barcode Scanner app update issue.
The original app developer, LavaBird Ltd., contacted Malwarebytes Labs to clarify what had happened with the app.
As revealed, LavaBird has already sold the app to another team before the malicious update rolled out. Hence, they explained that the malicious updates, in fact, didn’t arrive from LavaBird, rather the new owners ‘The space team’. In their message to Malwarebytes Labs, LavaBird stated,
The update that we published from our account was made by the buyer to verify the key and password from the application.
The buyer was given access to the Google Play console of this application and he updated it himself.
Briefly, LavaBird was proceeding with the transfer process with “The space team” as an intermediary. LavaBird temporarily received the app ownership from the original owners on November 25, 2020. After that, LavaBird entered the agreement with “The space team” following which, the latter asked LavaBird to verify the app signing key and app analytics.
This is what resulted in the roll-out of two different updates during the time, one on November 27, 2020, and the second on December 4, 2020. Whereas, the malicious code appeared right with the Nov. 27 update, which LavaBird didn’t cross-check.
Explaining why they didn’t do so, they said,
Usually we do not check the code, because the application will go to another publisher and if he makes mistakes, then it will be a minus for him and not for us.
That’s how the malware succeeded in targeting a huge number of users – seemingly, all those who updated their devices with Barcode Scanner app version 1.67.
Who Were The ‘New Owners’?
While it is pretty clear that LavaBird wasn’t responsible for the malicious update to the app, it’s weird that they didn’t really work hard to verify the credibility of the buyers.
According to Malwarebytes, very little information is available about “The space team”. It seems they just created the account on the Play Store at the time of purchasing the app.
Regarding why didn’t LavaBird tried to validate the buyers, they stated,
Unfortunately, we did not have such practice, but this lesson will remain with us for life.
Anyhow, it’s now evident that LavaBird didn’t intentionally infect the legitimate Barcode Scanner app. Rather it was the new owners.
But, whoever would be held responsible for this disaster, the ultimate affectee remains the users.
Once again, all users running this app on their devices should ensure to remove it at the earliest.