DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Scanner or Scammer: Analysis of CamScanner Vulnerability

Scanner or Scammer: Analysis of CamScanner Vulnerability

Scanner or Scammer: how CamScanner caused trouble for millions of users.

Harshit Agarwal user avatar by
Harshit Agarwal
·
Sep. 17, 19 · Analysis
Like (5)
Save
Tweet
Share
9.00K Views

Join the DZone community and get the full member experience.

Join For Free


man-taking-picture-in-sideview-mirror.


One of the most popular photo-scanning apps with OCR capabilities, CamScanner was recently found out to be riddled with nasty malware.

An estimated 100 million of CamScanner users may be affected as a result of this threat. After a series of negative reviews on the Google Play Store by users who observed suspicious behavior on the app, Kaspersky researchers investigated and discovered the malicious components of the application. Reportedly, one of the app’s advertising libraries contained the malware component.

Although the developers have removed the malware component from the app’s latest version, millions of users have been affected as a result of this malicious threat that can steal money off users in the form of paid subscriptions.

You may also like: 5 Important Software Vulnerabilities.

According to experts, the app had been distributing malware through a compromised third-party SDK called AdHub. The security researchers from Kaspersky named the malicious dropper component as "Trojan-Dropper." Detected as Trojan-Dropper.AndroidOS.Necro.n, the malware component prompted Google authorities to remove the app from the Google Play Store.

This particular malware was previously spotted in some other apps which came pre-installed on a few Chinese smartphones.

Identified malware

Identified malware


Here, we explain how the dropper gets downloaded from the application and the IoCs needed to identify the infected device.

Dropper downloaded from zip

Dropper downloaded from zip






The compressed file mutter.zip cannot be unzipped since the application encrypts it, and whenever CamScanner is run, the ZIP file gets decrypted and the malicious executable runs. The corresponding code is responsible for decrypting the ZIP file when the CamScanner application is launched. The file Duration.java contains the logic for decrypting the ZIP file and unpacking the malware.

file = Duration.fireman(context, "mutter.zip", "ugi");

sources/com/freely/HandleLauncher.java

public class Duration {

private static void climate(InputStream inputStream, OutputStream outputStream, int i) {

int i2;

InputStream inputStream2 = inputStream;

....

sources/com/finance/Duration.java


The Java code was copied to decrypt the file, and after a separate run, it gave us the dex file, which can be decompiled to get the source code back using tools such as d2j and jadx.

decompiling source code

Decompiling source code






On reversing the dex file, we can find that the dropper further downloads malicious files, which compromises the device and does a malvertising campaign on the users with affected devices. Kaspersky also found that this is a strain of Trojan-Dropper.AndroidOS.Necro.n which leads to intrusive advertising in order to steal money from users. The dropper allows hackers to install other malware that may expose the banking credential of users or sign them up for fake subscriptions.

Installing other malware

Installing other malware








Furthermore, the IoC and C&Cs are mentioned here.

High-Risk Vulnerabilities

After a thorough security assessment of the CamScanner mobile app by Appknox experts, five high-risk components were also found:

  1. Insufficient Transport Layer Protection: With a risk score of 8.1, the CamScanner app was found to be significantly vulnerable to insufficient transport layer issues. This type of vulnerability happens when the mobile app sends data to the servers over unsecured channels. This unprotected data could be easily sniffed while in transit.
  2. Disabled SSL CA Validation and Certificate Pinning: The application’s SSL CA Validation and Certificate Pinning were also disabled, leading to unsafe data transfer between the app and the servers.
  3. Content Provider File Traversal Vulnerability: Content Providers act as a medium of data sharing between various applications in a device. This vulnerability allows other apps on the device to request sensitive information from CamScanner; hackers may also utilize this vulnerability to navigate across the user’s local file system.
  4. Derived Crypto Keys: The app recorded a risk score of 8.6 on this criterion as traces of derived or intermediate Crypto Keys were found in the app.
  5. Javascript CORS enabled in Webview: As a result of this vulnerability, any arbitrary URL could gain access to the CamScanner resources.

Preventive Measures

The CamScanner security incident has lessons for both developers and users as well. The developers slipped malicious content via advertising libraries, and in order to keep a check on that, it becomes necessary to run SDK checks while integrating any advertising library into apps.

The CamScanner app also had several high-risk vulnerabilities mentioned above. App developers need to ensure that their app holds ground on these basic security checks and ensure features like proper transport layer protection and SSL CA validation and certificate pinning to minimize unprotected data transfer over servers. Other vulnerabilities may be mitigated as well by iterating continuous security checks or by consulting trusted mobile app security testing vendors.

For the users, it is essential to get rid of apps downloaded from untrusted sources and continuously monitor for suspicious activities on the trusted apps as well. Using an advanced anti-virus application may also be an option.

Final Thoughts

Even though the developers at CamScanner promise to have fixed the malicious code in the latest update, numerous users with older versions of the app may still be on the verge of getting hacked. Most of the smartphone users trust Google Play Store and consider it the safest place to download applications, but the case with CamScanner proves it otherwise.

Researchers believe that even trusted organizations like Google can’t check millions of applications thoroughly and as more and more updates come by, the job always remains an unfinished one.


Related Articles

  • Java Application Vulnerabilities. 
  • Common Causes of REST API Security Vulnerabilities.
Vulnerability mobile app

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • GPT-3 Playground: The AI That Can Write for You
  • RabbitMQ vs. Memphis.dev
  • Kubernetes vs Docker: Differences Explained
  • The New DevOps Performance Clusters

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: