Hacker News new | past | comments | ask | show | jobs | submit login
Malware on My Android Phone (beust.com)
334 points by rossjudson on Jan 11, 2021 | hide | past | favorite | 231 comments



The lesson here is not "oh look the author is stupid because they installed a shitty QR scanner app and didn't notice the obvious mistake".

The lesson should be; even very experienced technical people fall onto the malware trap. We all have day-to-day problems, unexpected stuff happening, in short life doing its thing. We'll inevitably end up being victims of a scam that happens just the worst possible day of them all, because reasons.

Thus the problem is not if we'll also fall on the trap, but what tools we'll have at our disposal when we do, and to what extent the Operating System will be there helping to protect us (and/or help us diagnose the issue...)


As an iPhone user and an Android developer my lessons learnt, over the time, are:

1. Do not trust Google to vet the apps in the play store. They won't; they don't even try.

2. Those shiny Play Protect and whatnot postured around by Google are practically utter useless bs/bloat

3. Stick to famous, really famous apps from the Play Store - as in well known - e.g. Facebook, Netflix, Evernote etc (you will be tracked of course, you won't be hacked - you pay this price by using Googled Android anyway)

4. If you couldn't find a well known app on Play Store - head to https://www.f-droid.org

5. Do not, just do not download any other app on your phone (treat it as a no exception rule) unless you know what you are doing and possibly can look at the code - find something decent as an APK from GitHub et al.

6. Be very miserly when it comes to doling out permissions to apps. Your default should be "no".

7. Privacy (not really) and safety are just superficial polish by Google on Android OS - their core and only focus developing the OS is: making it as much of an ad platform as they can and on top of that how to get a bigger and bigger cut of the overall ad revenue with every release.


You speak like if you were any kind of authority.

Nowadays anybody can be an Android developer, India is full of teenagers doing it.



TL;DR


The part of pg's comments that relates to your comments is this part:

"Saying that an author lacks the authority to write about a topic is a variant of ad hominem—and a particularly useless sort, because good ideas often come from outsiders. The question is whether the author is correct or not. If his lack of authority caused him to make mistakes, point those out. And if it didn't, it's not a problem."

But in general, Paul Graham isn't saying anything that is novel to this site's comment guidelines:

Be kind. Don't be snarky. Have curious conversation; don't cross-examine. Please don't fulminate. Please don't sneer, including at the rest of the community.

Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.

https://news.ycombinator.com/newsguidelines.html#comments


"Don't be a dick, because plenty of people are smarter than you, and even people who are not smarter than you can come up with really good ideas and perspectives."


I was a teenager doing Android Development in 2010. What difference does age make in this discussion?


What I mean is that it's not a valid argument to establish the authority of the speaker.


Why isn't it? Teenagers in India can have authority on a subject and more experience in certain areas than I do.

I'm not taking their post completely on faith. It matches up with my previous experiences, including the article we're currently talking about and related articles I've read.

Is there a specific issue you have with their point, or did you just want to point out that they're not special for making apps?


I've had the same issue as the author of the post.

The barcode scanner wasn't any shitty app, it was the one that was recommended a long time ago by Google authenticator. I had left it installed on my phone and it must had had the dodgy update that got it banned from the app store.


> the one that was recommended a long time ago by Google authenticator

That's where I remember it from, thanks! However I think there's some confusion here: the one the blog mentions is not https://play.google.com/store/apps/details?id=com.google.zxi... (github based, relatively trustworthy looking, recommended by Google Authenticator back in the day), it's the now removed qrcodescanner app: https://webcache.googleusercontent.com/search?q=cache:38t1gW...

I think those bad reviews on https://play.google.com/store/apps/details?id=com.google.zxi... are because the malware probably used the zxing qr library, and there might be traces left in it, or these users are just confused (or the malware app deliberately pointed low star reviewers to the github competitor app in the play store). As others have stated, this github app with the bad reviews hasn't been updated for a long time.

If the malware is also in https://github.com/zxing/zxing , I really hope they do a postmortem to explain how. The fact that https://play.google.com/store/apps/details?id=com.google.zxi... still exists though, while the app mentioned in the blog has been removed by google, makes me think the zxing app is clean.


Hang on a second, something is fishy here. I had an issue that the mirrors what was happening on the zxing reviews. I was getting a full page ad every 15 minutes or so after unlocking my phone.

The rub? It wasn't this app. It was another one that was also called barcode scanner. It was also beginning to garner negative reviews, which the developer (had a Ukranian email address) had begun responding to saying the app was perfectly legal because it was serving ads only inside the app itself.

I'm wondering if that deluge of bad reviews is directed at the wrong app? I'll look to see if I can still find the google play page for the one I had.

Also, I had that app for a LONG time before it started displaying this kind of behavior just last month, which also corresponds to the bad reviews starting on the zxing app.


The ads went away when I uninstalled it and reported it.


I went through all the apps I've installed in the past, and the only barcode scanner I've ever installed was this one:

https://play.google.com/store/apps/details?id=com.google.zxi...

So it might be another completely unrelated app that triggered the issue, or it might be this one, no idea!

I've reset my phone to factory and re-installed only as and when I needed an app and so far no more ads.


I took away another lesson: One of the early developers of Android doesn't replace his phone even after being absolutely certain it had malware.

That kinda blows my mind.


That would be reasonable if the phone owner was likely the victim of some targeted attack (beeing politician or something similar). But if it's just regular malware that was installed with a drive by download, I would trust the android security model that much.


I wouldn’t. Some malware can hide a lot deeper than a factory reset can erase.


Such behavior needs privilege escalation thanks to sandbox. I don't believe crap app can do privilege escalation for constantly updated phone.


Doing so would mean you don't trust the Android security model. No app can be granted permission to affect the OS or other apps unless the phone is rooted and you give it root.


I mean, I don't trust as a binary. I have continuums of trust from very little to very much. I know that people are capable of privilege escalation and persistence. I've seen it with my own eyes. I know it's unlikely that that specific piece of malware was able to get persistent root, but it could have and it also could have exfiltrated cryptographic keys or certificate or bearer tokens while it was on there. Better to just get a new phone if you're such an experienced software developer that you literally helped build Android.


If you don't fear as a binary then threat assessment and mitigation cost may be a factor. Could be a closet ios user.


That's a pretty extreme and expensive option. I think I would have just gone for a factory reset.


I had an attack that kept the Malware after a factory reset, and I contacted Lenovo about it. They confirmed it was indeed still intact.

We even did a low-level reset (a representative guided me through it) but to his own surprise the malware was still there.

I was out of warranty and I had to pay a sum to get it fixed, which was more expensive than buying a new tablet.


At the very least, yes. But I read something from a former NSA hacker once and he mentioned he replaces his computer and phone every quarter, in addition to a bunch of other paranoid things.

I'm not that extreme, but I did replace my computer once I got back from Kiev. I'd rather not worry about it.


I do not use an Android phone, is there an easy means to restore one to factory condition? Is there a simple process to save and restore your phone to your PC/Mac similar to how Apple does it?

(my father has an android phone and now I suddenly find myself curious about save/restore and how to find malware on his phone)


Yes - it's very easy to do a factory reset on your phone.

No - There is no 'easy' way to store/restore the entire phone as I believe Apple does. (I had a miserable day doing this, when my old Pixel started playing up and had to migrate across to a replacement) - and this was best case when I had the two phones next to each other.

Core 'google' stuff seems fine - either all tied to your account (e.g. contacts) or google app data (texts, pictures etc) which can be backed up to cloud, or directly migrated between phones.

What doesn't work is the logins/settings for all the random apps. Some do store on cloud. Some allow manual export/import of settings. Some you're going to have to setup again from scratch.

Back in the day when I did root my phone, TWRP and similar things let you image/restore the whole phone.


Older Mediatek platform phones let you read/write the entire internal flash (eMMC) directly, which is AFAIK the full extent of persistent writable storage.

That is the true "factory reset", as it's how they were first loaded with software in production. I believe the more widely-known and generic Android reset is merely restoring from an internal partition.


AFAIK since android uses read-only system partition, there's nothing to restore. It just wipes the data partition and that's it.


Indeed.

If you look at the storage requirements of an app, you can see it's split between "App Size" and "User Data" (along with a cache).

AFAIK there's no way to actually backup/move the user data without rooting. Now I can see why Google might not want to store all that (and why I might not want them to) - but it's somewhat silly not to have any options.


> No - There is no 'easy' way to store/restore the entire phone as I believe Apple does.

I think Android phones with the Google Services Framework installed do provide such a way. Alternatively, if you're using a custom ROM (like GrapheneOS on Pixel devices), you can use Seedvault[0] for full backups of your phone. It basically acts as a drop-in replacement of the backup service provided by Google.

[0]: https://github.com/seedvault-app/seedvault


I had a QR scanner installed for _years_ before it started (in December) giving me chrome pop-ups for spammy links. The dev is even on the app store lying saying the ads are in the app when the app is actually covertly waking itself up to open chrome.


IMO: the lesson here is that restricting people to the OS vendor's software repository doesn't prevent malware. The only way to even help that is via community review (note that apple doesn't review internal behavior of the apps or instrument them in any way, they just have someone try using them behind a proxy) and enforcing public available source code like fdroid.


"the lesson here is that restricting people to the OS vendor's software repository doesn't prevent malware"

This was a side-loaded app on an unlocked phone. What am I missing?


My takeaway from this post is never use Android. Not that I ever would.


A QR code reader was the problem then... I am an Android user since the dawn of time and I was so surprised when my wife showed me that on her iPhone the QR code reader is embedded in her camera app... I wonder why it is not the same in any version of Android that I have used (now I am on Android One).

This plus the native support for CardDav and CalDav are pushing me to try iOS next time I have to change my phone.


QR Reader are load of everything. I went mad to find one a decent one for my parents’ android phone and apparently it doesn’t exists. So in a weekend I’ve created one without any kind of tracking, ads, permission, whatever. Here it is if you guys need one -> https://play.google.com/store/apps/details?id=com.prof18.sec...


Or anything from FDroid. I use Barcode Scanner (https://f-droid.org/en/packages/com.google.zxing.client.andr...) as it scans even damaged codes.


Same here. Generally when looking for good quality Android apps, F-Droid should come first. I think about 95% of the apps I use on my phone are covered with F-Droid. Only banking apps and public transit apps are from the Play Store.


> Or anything from FDroid.

This is the best heuristic to apply not just for QR code scanning, but for pretty much everything. To avoid malware, avoid the Play Store.

When using f-droid, also check out the project web site and git repo (at least in a cursory way, even if you can't fully audit the code, you can get a sense of who the developer is and the project's overall health from the commit log and issue tracker).


I'm largely in the dark when it comes to Android security. What makes F-Droid so much safer?


F-droid only accepts open-source apps. Apps with anti-features are also marked as such.

Play store should be only used for things that you can't work around with apps from f-droid.


It's not truly safer. It's just smaller, and only has open-source apps. So it's harder to hide malware, but still certainly possible (nobody checks most apps).


It seems much safer. F-droid apps are finely curated open-source apps and anti-features are marked and easily avoidable.


The issue is the "finely curated" statement. It's not a full code review, just "Wherever possible, applications in the repository are built from source, and that source code is checked for potential security or privacy issues. This checking is far from exhaustive though, and there are no guarantees."[1] After an app is added to F-Droid it gets built from source by the F-Droid build servers, but it does not generally get re-reviewed. It's perfectly possible to add the malware after the initial release. It's also possible (even easy) for malware to be missed by the limited code review. F-Droid is a little safer, but that doesn't mean it's particularly safe. It's no harder to get malware on F-droid than it is to get it into Arch or Debian or any other distro repository.

[1] https://f-droid.org/en/about/


I believe 'Barcode Scanner' was potentially one of the first barcode scanners on Android. Been using it since Android 1.x on the ADP1.

Don't forget it is on the Google Play store too. https://play.google.com/store/apps/details?id=com.google.zxi...

There was a time when QR Code scanning was better in Android than iOS (native in iOS 11.x).

The "Google" way of scanning QR Codes is Google Lens, but it doesn't work offline :|


Beware, the play store version shows full screen ads, auto redirects and needs contacts permissions.


Is there any proof for this, apart from those bad reviews? The blog mentions another (now removed app) with the package name com.qrcodescanner.barcodescanner, not the open source one at https://play.google.com/store/apps/details?id=com.google.zxi...

I believe these bad reviews might be a result of the malware app pushing bad reviews to the zxing app page on google play, using an in app 'rate this app?' -> low rating -> send to the zxing app in Google Play (instead of the malware app in google play).


As noted above, I believe this to be the case. I had the other app and started receiving full page ads for it. Totally different developer, but same app name. I am no longer able to find that app in the play store.


Ah, looks like mine installation is actually from FDroid, and never realised.


I've installed from Google Play, and never seen any ads. It has contacts permission, but that's because sharing contacts with a QR code is something I use it for frequently (it can generate codes as well as scan them).


I feel like this is a good example of how difficult it is to find a good barcode scanner. It mentions permissions for contacts and full network access. I would have thought that those two permissions should not be necessary for a barcode scanner and point toward something dodgy going on.


It's actually not that difficult. F-Droid has a few offline scanners. It depends of course on how much of your experience you want automated. Though it would be nice if Android let you control the more granular permissions like network access.

https://f-droid.org/en/packages/com.secuso.privacyFriendlyCo...

https://f-droid.org/en/packages/de.t_dankworth.secscanqr/


Error correction is inherent in processing the QR code itself. That is, QR codes are generated with varying levels of redundancy, and any reader must be able to interpret the Reed-Solomon code.


I've been using this one since the Android 1.0: https://play.google.com/store/apps/details?id=com.google.zxi...

What's interesting, is that despite the app not being updated since 2018, open source, and containing no ads or tracking the reviews are saying it recently became adware.

Searching for barcode scanner in the app store brings you to a horrible sea of ad supported crap ware, and it seems like that crap ware wants to ensure you don't download something that might be decent.


Yeah, something's fishy.

I scraped the latest 1000 reviews (coincidentally almost exactly 12 months worth).

The "adware" reviews are all very recent with large amounts of votes.

They seem to start on December 18, with 162 1-star reviews in the following 25 days -- more than all the 1-star reviews in the 6 months prior.

I wouldn't be surprised if these reviews are not only automated spam, but are constantly being deleted and reposted to keep them "fresh", and at the top of the "relevant reviews".

Charts: https://imgur.com/a/QUyHcHu

CSV of review data: https://pastebin.com/ZanYgd5Y


The malware app was also called "barcode scanner", published by "the space team", so it wouldn't surprise me if a lot of people just found the more popular zxing app on the store and left reviews in the wrong place. I had the malware version installed and went through the same process Cedric did to find out that an update they pushed around that time turned on the bad behavior.


Curious: How did you do that? (scrape + chart)


Scrolled down until 1000 reviews had loaded.

Used the simplescraper.io Chrome extension (with a little bit of DevTools fiddling) to export a CSV.

Created a pivot table in Excel and charted the results.


Either it's a campaign to try and lower the ratings or a bunch of people have managed to get separately installed malware and thought this was the cause.

The last update I see available is what I have installed - 4.7.8 from September 2018. Definitely no strange behavior from it.


Hm, it says updated February 2019?

But I also use this app for QR-codes, since I was never able to find an alternative. The vast permissions required make me nervous every time I install it... Good to know it is on F-Droid as well, built from a source tarball, so should be OK [1]?

[1] https://f-droid.org/en/packages/com.google.zxing.client.andr...


Interesting, in the Android play store it says Sept 2018. But I opened it on a browser and I see Feb 2019.

However all the negative comments about ads are from after November 2020. Clearly a smear campaign.


Just wondering: Since you're using zxing library, why not go for the zxing barcode scanner directly? https://play.google.com/store/apps/details?id=com.google.zxi...

Another option would be to use Google's MLKit. I think they've added support for scanning QR codes in there. It requires Google Play Services though, which is not ideal.


The reviews on that app don't look encouraging:

> No issues initially but now it will give full screen ads often that either force open your browser to a shady site...

> ...thought I should update it. That's when I started getting full page ads and browser redirects. I don't know who hijacked this app...

> Avoid!! Used to be great. Now opens adware, and pops it over the lockscreen. Goes to great lengths to cover its tracks, calling the process "partners" and removing itself from recent applications. I had to use "popup ad detector" to find it. Appalling behaviour. Very underhanded.

The zxing library is open source and different from the app. So looks like something fishy happened to the app recently. From the description of problems, this might even be the app referred to in the article.


It was last updated 2019 according to the footer. Maybe the bad reviews are paid for by the devs of the other QR apps?


Google makes one themselves, Google lens. It's quite a bit more than just a qr code reader, though, kind of a generic computer vision app https://lens.google.com/


I went mad trying to find a decent voice recorder for my mom. Eventually settled on some ad-littered app, but at least it didn't request any extraneous permissions. Every other app asked for every single permission under the sun... to record voice.

The one thing I've noticed about the iOS store is that apps are more up-front. Many have a price tag attached to them, which I prefer. Android apps are all about giving you something for free and then in the back doing god knows what to make pennies off of you.

The whole ads-in-apps situation is from some sci-fi novel. Let's make screens bigger, so we can fill more of it with ads.


I use the built-in QR-code scanner available in Opera Mini beta. Also, its the only browser I know that has a built-in RSS Feed reader. I use an old APK, as the newer version of Opera Mini removed the RSS functionality.



This looks great, can you add it to F-Droid? I tend to trust stuff that's on F-Droid more, even if I do end up installing them from the Play Store.


it's great sinve you have de ability but I setup all my family phones with f. droid and some good apps there including qr readers


What happened to the zebra crossing demo app? That's what I always used when I had android.


Thanks very much! Just installed and does a great job!


Thanks for this.


I was going to recommend the open source "Barcode Scanner" app also known as "zxing" on GitHub. However when looking at the app's page, I noticed that someone seems to be engaging in some kind of review-bombing with that app. There are tons of reviews claiming that it was recently updated and has highly intrusive full page popup ads. But looking at the version info, the app hasn't seen an update for over 2 years and the repository is in maintenance mode, and I nor anybody else that I know has seen a single ad when using it.

I wonder if this is a concerted effort to steer impressionable people away from a "real" FOSS QR code reader app and direct them to a malicious one instead, using scare tactics.


If you say "OK Google, scan a QR code", it opens up Google Lens which does the job but only seems to be accessible through voice on my device


On my Android phone if you open the camera App there's a Google Lens icon at top left next to the menu hamburger icon.


You can access it without voice, by opening Assistant (long-press Home, double-press Power, etc.) and then typing "Lens" into the search box.

Ridiculously, there's no way that I can see to get an app shortcut icon to it.


The is a Lens app you can install to get an icon. https://play.google.com/store/apps/details?id=com.google.ar....

Note: I work at Google but not on Android/Lens


OK, I've done that. It's pretty crazy that the app takes up 40MB just to add an icon to my apps menu.


I also use Lense for QR and like any typical app just installed through Play and launch normally.

Voice Assist is yet another privacy invasion vector imho, there are too many anecdotal first hand accounts of someone talking about fishing and suddenly getting banner adds for boat trips everywhere.


You don’t think it’s more likely that a person who talked about fishing also searched for fishing gear using Google? Or “Likes” fishing on Facebook? Or follows a fishing person on Twitter?

The technology and storage that would be required to parse non-device-directed speech doesn’t exist and wouldn’t be profitable since there are so many other reliable signals that are much cheaper.


I have a Pixel 2. It scans QR codes with the default camera app just fine. When it detects a QR code you get a little popup you can click. It even works with regular 1D barcodes.


Long time Pixel user here (and an Android dev for that matter) and I had no idea the camera had qr support!


just go into the camera settings and turn on lens suggestions


If you are fine with sending the camera stream to Google for analysis...


If not you wouldn't use a Pixel.


Hardly a fact. As a privacy minded person I hold the Nexus/Pixel devices quite high in regard in the android ecosystem.

Better to be screwed by google, than to be screwed by both google and samsung/whatever.


Well actually I just tried this with the normal camera and it worked fine without activating lens (or having given it any permissions).


Same here with my Samsung Galaxy S8+. There's a QR code scanner in the camera app.


Same here with a semi-recent Motorola One Zoom


same here with One plus


It wasn't a QR code reader that was the problem, it was a malware posing as a QR code reader. It didn't sound like the author downloaded a QR code reader and happened to get malware. He got malware from some source which installed itself that way.

I had a QR reader in my camera app on some old Androids, around 2011 or so, but maybe it was because I then often was running custom ROMs? Or because back then QR codes were hyped and used for everything? Anyways, in 2019 or so it was included again in the native camera app on all Samsungs.

While I get the allure of "it just works", having a niche feature that's basically never used and easily installed anyway seems like a weird hill to die on.


Pretty much most of Android phones have QR code reader embedded in the camera app as well.


For CalDav/CardDav there's DAVx⁵. It's on Play if you want to support the developer, or F-Droid if you don't.

There is also ICSx⁵ from the same developer, works against outlook.com.

I paid for both, they work great.


I'll vouch for DAVx⁵. Terrific app, I've been using it for years through the name change. I use it to sync contacts and calendar with NextCloud.


so there are a ton of different apps for which you can pay to get a feature that ios has builtin. great


Note that the apps they mentioned are available for free


noted, hence i wrote 'can pay' and not 'must pay'.


Meh that goes 2 ways. Try getting good WebDAV or third party backup solutions in the Mac ecosystem. You win some, you loose some.


yea. really buggers me that there is no native webdav support in ios (at least there is cal-/carddav)


You mean just like how on iOS you need to pay for apps to give you (almost) the same functionality and customization as on Android?


I recently discovered Firefox on Android has one if you focus on the address bar there is an option to scan, you just need to give Firefox permission to access the your camera


On my Pixel 4a: Camera / Modes / Lens. That will open Google Lens which should scan QR codes.


You can do the same on any android phone by opening the google app and tap the lens icon in the search bar.


It does - just checked.


> on her iPhone the QR code reader is embedded in her camera app... I wonder why it is not the same in any version of Android that I have used

Apple added a builtin QR code scanner to the camera app in iOS 11 due to the ridiculously widespread use of QR codes in China.[1] I guess (Google's version of) Android doesn't have that because Google doesn't derive much value from that market, and QR codes don't have as much mindshare in other major markets.

[1] They specifically called out the Chinese market when introducing the feature in WWDC 2017 keynote:

> Of course, there's much more than we have time to talk about today, but I want to highlight some features of special interest to our customers in China, like QR codes that are integrated right into the main camera, accessible from the lock screen, super use Yes, super useful for customers in China.

https://asciiwwdc.com/2017/sessions/101


Android has had a buil-in QR scanner for years. Looking in this thread at least OnePlus, Pixel, Motorola and Samsung has it in the default app. As far as I know it is part of android.


Huawei has QR scanner built-in in the gallery app https://consumer.huawei.com/en/support/content/en-us00326153...

I believe that its built-in app also has a QR scanner in HiVision package, but it requires to accept a scary privacy agreement.

Firefox for Android embeds a QR scanner in its address bar: https://support.mozilla.org/en-US/kb/scan-qr-codes-firefox-a...


Xiaomi's Android distro MIUI has QR code scanning in the Camera app by default. Most asian target markets do that, because QR codes are more common here.


MIUI also allows you to sort apps by installation time


I just tried with my Samsung s9+ and the camera app picked up the qr code, don't know what you are saying


That's specific to the default Samsung Camera app.


It is in moto, pixel, oneplus, xiaomi, huwaei too. Likely default to Android 9+


The camera app is actually not one thing, even on Android One, it depends on hardware support. The Pixel one doesn't work on my Nokia for example.

My last few Android phones have had QR reading built in to the camera though, just not current Nokia. It might even be my biggest annoyance with it...


Firefox for Android comes with an integrated QR code reader. Works great. No add on needed.


+1 to the answers here. Mine offers QR reading as another selectable mode, in addition to the "Still photo" and "Movie" modes. My previous phone had it integrated in the "Still photo" mode: it would simply detect and read QR codes automatically when pointing the camera towards one.

But, the phone I had before those two, had a Camera app which didn't read QR codes. So maybe it's a matter of expectations now: old Camera apps were just for Camera, while modern ones are now generally expected to be able to read QR codes? (I would, anyway)


It is on my pixel (so worth a try on whatever's shipping with Android One).

I thought it was a bit 'hit or miss' at first - if you hold the camera over the code, after a bit it decides to pop up a link over the QR in preview. Then realized if you tap on the code, it instantly displays the link. Just had a fun few minutes on https://www.google.com/search?q=qr+codes&tbm=isch - as the tap allows it to handle multiple ones within the same frame.


My Firefox on Android has a QR code scanner, I typically use that even when I know it's not a website. When you open a new tab and select the address bar you get to see the button for the QR code scanner.


After going through dozens of QR code scanners trying to find one that is open source and trustworthy enough looking to install, i realised there is just one right there in Firefox.


And in the default camera app.


Sure, but only if you also have the Google app and Google lens.


I have an Honor5C on Android 7 (with EMUI5) and there's a QR code reader built in, but I only found it by accident.

After taking a picture of a QR code, view the image, tap 'more', wait 10s, if the image is good enough (and it really needs perfect focus and placement, it's very pinickety) then it will show "read QR code", if you choose that option it will then take you to a URL/text preview, and then you can open your browser to that URL, etc..

Worst discoverability ever!


This is basically the problem I have with Windows (well, had, maybe it's gotten better): a bunch of basic tools are third-party utilities. Microsoft will even point you to them?! On macOS either the basic things are build in or easy to find from a website that isn't trying to push a new toolbar at you. On Linux you just use your package manager to install whatever it is…


I don’t think you really need any 3rd party utility on Windows anymore, for the basic tasks. Any hrowser has PDF viewing, .zip support is already there (since Win2000), it has basic image manipulation and text editing, screenshot editor, and i think even desktop-recording. Sure, none of these things is a “best in class” app, but that’s normal (and leaves market space for developers). Anything beyond that is not “basic” and I wouldn’t expect it on MacOS either.


Same with eg. multi-entry clipboard (although I still use a third party utility app for that out of habit).


Take photo of the qr code with any camera and open the image in Google photos. Google lens will detect qr code and do the rest


On my Moto E4 (Android 7.1.1) the default Android camera app also reads QR codes. But nothing in the app. nor app. help actually tells anyone that it will do this. The only way one discovers it is by pointing the camera at a QR code to see what happens, and realizing that the app just decoded the QR code it was viewing.


> I wonder why it is not the same in any version of Android that I have used

I've had this on Samsung phones for a long time.


Xiaomi's MIUI has QR code reader as a default feature in the camera app, and as a short link on the desktop


That's disappointing. Chrome on iOS also has a QR code scanner. Surprising that Chrome on Android does not

https://support.google.com/chrome/thread/7862896?hl=en


I read somewhere the native camera app also does but many including Samsung have their own app instead. Cannot vouch for that.

On the flip side there are QR apps in the top 100 App Store apps because the built-in support in camera is not really obvious unless someone tells you.


i had an s10e recently and the camera app would scan them if they were in view and show a popup message.


So does Android (at least OnePlus and Pixel) in the default Camera app.


Firefox android has a QR code reader. I also recently noticed that the Google App (Discover ?) has a QR code reader and I think the Google assistant too.

But these are all behind app, not readily accessible.


On my Samsung it's the same as well. The default camera app scans any QR code, even does document scanning on the fly which I find super useful.


Aside: on iOS the default camera app doesn’t do document scanning but the Files app does (it’s an option under the menu on the browse tab).

Took me ages to discover that, still not sure how long it’s been there.


The notes app also does document scanning in iOS and I’ve found it very very useful.


Yes, on my Samsung the camera app is great, and it gets better all the time. I know people like to crap on Samsung but they do some great things in some regards.


Samsung phones have qr reading in the camera app since a few years at least. Google also has Lens but that does not work offline (?)


There is native support now with Lens, although I agree it's kinda nutty that it took so long.


I use the Microsoft launcher and a qr code scanner is part of it


Firefox mobile also has one embedded.


Simply get something from fdroid.


I trust the F-Droid store more due to its curated (FOSS-software-only/no-trackers) maintainer based model and default to them if there's an app that I need, especially simple stuff that tends to mostly be adware on the playstore


On a side note, my bank is now forcing me to use their app which can only be downloaded from the Play Store (which I will never install). When I complained they told me it's because they think it's more secure than their current method which is a card reader, I tried to explain to them the average phone is teeming with malware, but they simply wouldn't believe me.

I am currently looking for a new bank.


You can use AuroraStore from F-Droid, it allows you to download apps from the Play Store without a Google account.


Nice tip!


It will probably be not good enough, many banking apps are using Google Safety Net to detect rooted or not Google certified devices with Google Play installed indirectly. AFAIK it's now quite difficult to break. I sort of understand the bank decision on this. There is a lot of malware on Android and users are easily tricked into installing some side-loaded APKs, and there is also a lot of hidden malware on Google Play which is hard to find (e.g. it downloads a payload after the store review is done). This would be a disaster since on Android you can for example use accessibility services to read any input from the user and also control the device. So you can circumvent 2FA and make transactions on behalf of the user on the device. There has been a lot banking malware on Google Play. I think they are getting it a bit under control now, but it's still very dangerous.


I wonder if it would be possible to have something like qubes or maybe like docker that could run a full-fledged, sandboxed Android instance for a single app, while running FOSS like a sane person as your primary ecosystem.


Thats happening a lot, switching your bank wont help at least not for long. I guess "[x] force smartphone users to use the app" is part of some security checklist now.

I got a workaround by switching to desktop mode, when that didnt work anymore by using Fennec (FF mobile fork with relaxed addon support) + useragent switcher


kinda similar for me. When I look for a small app like a QR code scanner or a flashlight I search for "QR code scanner open source" or "QR code scanner github" to easily find the open source ones that likely dont contain ads or malware


Another problem is with the cheap Android devices that come with a preinstalled rootkit disguised as the firmware update app. (fota.apk)

It uses LUA scripts to install apps remotely and can grant any app any permission and run as system level through reflection.

The government funded LifeLine phones that are given to the poor, disabled and veterans are all infected with this malware.

Here is an excellent technical analysis of the rootkit:

https://wuffs.org/blog/digitime-tech-fota-backdoors


"Google Play Protect was also completely unhelpful, which was a big disappointment. First because Google certainly knows which applications they removed from their store for malware reasons, but even so, I would expect Google Play Protect to at least flag any app it finds on my phone that is not on their store. Such an app is not necessarily malware, but it should certainly be flagged.

Google Play Protect could also do some behavior profiling to analyze what apps are doing in the background. A service launching recurring VIEW intents on web sites in the background should have raised a flag to the system."

Sounds good.

I sense that there so many teams involved such a feature is not on their radar. So "they already know they blocked it" and "the existing installed app should be blocked" imply that two teams know what the others are doing.

I'm guessing that the team that does the removal from the store has no communications path to those who would add a flagging mechanism for already installed apps.


" I would expect Google Play Protect to at least flag any app it finds on my phone that is not on their store. Such an app is not necessarily malware, but it should certainly be flagged." seems like Google is between a rock and a hard place here, they already catch so much heat over their treatment of third party app stores there would certainly be a lot of outrage over this if they started doing it


Very true, but instead of reaching in and removing your app giving a message saying "we pulled this app from the store for such and such reasons, maybe you want to review it" would be pretty nice.


I believe that actually does happen if you installed through Google Play Store, but in this case the app was sideloaded onto the device.


> Listing the apps installed on my phone should give me the option to sort them by “Latest installed”. I am pretty sure that if I had had this option and I had seen a QR Code Scanner installed just a few days ago, it would have immediately grabbed my attention. As it is, the way Android lists the installed apps is pretty useless for this purpose.

I was able to find it pretty quickly by going to:

Settings > Battery > Usage Details > Battery Usage Since Full Charge

This showed me the most recent app used. As I hadn't used the QR scanner app in quite some time, it seemed a reasonable place to look first.


That shows you the most recent app used, but he needed the most recent one installed.


Play Store > My Apps and Games > Installed, and then change the sort order to "Last Updated".


I don't have a android device here to confirm but I suspect if it was just installed and never updated it won't show in that list.


True, but I did it right after the ad appeared.


Strange article

    I unlocked my phone and two
    accidental clicks led me to
    agree to a dialog that my brain
    immediately registered as suspicious
What type of dialog can pop up on your Android screen after unlocking and install "malware"? What is "malware" here? It looks like they mean an app from the play store?

    The next day, I picked up my phone and
    when I launched Chrome, I immediately
    noticed it was displaying a spammy URL.
How can one app alter the behavior of another?


What I believe the author is saying is that he received a push notification to chrome from the malicious app.

Coincidentally, I just spent my Saturday evening pouring over malicious JavaScript hosted on Cloudfront that does extensive browser fingerprinting and if a match is made to an Android device a fake Captcha pops up in Chrome which actually enables push notifications and from there a full screen pop-up appears that vibrates the devices and claims the phone is infected with (N) viruses and the “repair now” button pulls up the Play Store app to install DFNDR antivirus/cleaner.

If you look at the reviews of that app you’ll see all the angry reviews of users having their browsers hijacked.

The app itself is just an advertising server wrapped around Avast’s detection engine and is funded by the Chinese Qihoo.

It harvests users social media data and charges the users almost $10 a month after a 3 day trial period.

Novice users are unable to delete the app if “advanced protection” is enabled because it becomes a device administrator and uses deceptive language to confuse the user trying to remove the app.

If the app gets installed it will not let you clear the storage of the app from within settings even if you had never opened the app and before you agree to any terms and conditions.

The fake virus warnings that lead to DFNDR have been going on every single day since 2013.

I’m putting together a webpage that will include the JavaScript and other details as we speak.

The Google Play Store is a dumpster fire full of scam apps and Scummy developers.


> fake Captcha pops up in Chrome which actually enables push notifications

Wow, this sounds like a classic clickjacking vulnerability. That’s still possible on modern[ish] Android? Definitely interested in your write up.


No, it is not.


    he received a push notification
    to chrome from the malicious app
What does that mean? How does an app send a "push notification" to Chrome?


Not GP, but my interpretation: app sent a general push notification which, when tapped, opened a malicious URL in Chrome as the next step of this "funnel".


> How can one app alter the behavior of another?

In Defcon 2, author finds a log with intent:

{act=android.intent.action.VIEW

Android will handle The URI with default app. The malware sends HTTP url, so it will be opened by default browser.


Something similar happened to me a few years back after I accidentally tapped an ad in Chrome (an ad delivered by Google no less). While I didn't get infected the site did start displaying system like prompts (my phone was also vibrating at this point and playing the same sound I get when there's a natural disaster) saying my device was infected and that I should tap OK to download an apk.

I did several things after this:

- Reported the ad to Google (no followup from their side - naturally).

- Removed Chrome.

- Installed Firefox and uBlock Origin.


How did you remove Chrome?


You can disable system apps so they don't show up even without root. If you have root you can also uninstall them. Just open a terminal, su and use pm uninstall to uninstall for your user or all users (you can reinstall the same way if you end up needing it later). No reason to use the provided Chrome when you can just use Bromite though.


> What type of dialog can pop up on your Android screen after unlocking and install "malware"? What is "malware" here? It looks like they mean an app from the play store?

That would be the case if you enable sideloading, but that isn't mentioned in the article. Is it possible to install an app via popup without going through the store? This needs some clarification.


They mention at the bottom of the article that they did enable side loading, that's how the app was installed.


If that would be the case what is the point of the article? Of course Google Play Protect shouldn't interfere with an side-loaded app. One major reason for side-loading (after giving explicit consent and ignoring all the warnings associated) is to allow applications Google wouldn't approve.


Google Play Protect also warned on unknown sideloaded apps (and requested an upload for a scan) when I tried it ~half a year ago. Documentation[0] implies this is still the case

> It checks your device for potentially harmful apps from other sources. These harmful apps are sometimes called malware.

> If you choose to install apps from unknown sources outside of the Google Play Store, turning on the “Improve harmful app detection” setting will allow Google Play Protect to send unknown apps to Google to protect you from harmful apps.

[0] https://support.google.com/googleplay/answer/2812853?hl=en


Can't an app ask for a website to be opened, and then that would cause the standard browser to display said website and URL?

It does not sound to me like the Chrome app was infected, just told to open a page.


Yes this is basic (and incredibly common) behavior. The alternative is often much worse (an embedded WebView in each app to do things like open TOS pages).


Sounds like it might be related to the reviews for this app?

https://play.google.com/store/apps/details?id=com.google.zxi...

A 2020 review talks about ads appearing after a recent "update", but the app hasn't pushed an update since 2018!

I've always had this app installed and never experienced adware, perhaps those reviews are left by people falling victim to the copycat scam?


I had this app too, and I remember thinking it was weird because I think an official google developer blog (or something like that) mentioned the need to install it, as there was no built in QR code reader at the time. I can't remember which old phone I had it on though.

I also think those reviews might be left by people who can't find the original offending app because it's been removed. https://www.apkshub.com/app/com.qrcodescanner.barcodescanner seems to show it had BILLING permission though, which is always an alarm bell.


The one you're looking at on apkshub is definitely a different app. The version number, last update, and permissions do not match what is in Play.


The one on apkshub is the one mentioned in the blog. Google has removed it from google play. https://play.google.com/store/apps/details?id=com.google.zxi... is a completely different, open source app, with unexplained bad reviews, probably nothing to do with the malware, and hasn't been removed by google.


FYI: I created a website that quickly scans QR codes so that you won't have to download or open any ads-filled QR code apps anymore:

- https://scan.lol

The code is open source too: https://github.com/TimDaub/scan.lol


> The code is open source too: https://github.com/TimDaub/scan.lol

Am I missing something or does your repo only contain the minified version of the javascript, and not contain the `index.js` referenced in the `package.json` nor the method to build to minified artifacts? This seems like it's not open source.


Hey,

thanks for pointing that out. Rest assured, the site is 100% open source as I'm simply publishing the repo using GitHub Pages. There's no build step.

Regarding package.json's main file: It's a mistake. I did not update it properly after I did `npm init`.




Ah, this is nice to have from the ZXing team.


Doesn't work for me, fyi. iPhone 11, white blank screen


You may know this already, but just in case: the iOS camera app has a QR reader built in, just point the camera at a valid code and it’ll automatically display a tooltip containing the URL which will open in Safari if you tap it.


I just use Firefox. There's a QR button on the URL bar


Note that there is no evidence the security model is broken here. The 'malware' didn't access any private data.

It just popped up annoying ads, which it doesn't need special permissions to do.


> It just popped up annoying ads, which it doesn't need special permissions to do.

Maybe that’s the problem?


Yes, but trusted UI is needed to require permissions for things like that (ie. so that every pixel on the screen of the phone the user can be aware which app and security 'container' it came from).

That is pretty hard to achieve, and no mobile or desktop platform really has it.


Ex-AOSP hacker here. I felt it strongly at the time too that Android didn't need anti-Malware [0] but I don't anymore.

Some 5 years ago, I switched to Firefox Mobile out of annoyance because Chrome refused to block all those popups random websites would show with some prompting an app install.

Google has since made a lot of improvements including tightening up which apps can install other apps (not a blanket permission anymore), running the Potentially Harmful Applications program, narrowing down fingerprinting (still some way to go as evident by TFA). Google is even locking the code up that runs outside of Android in crosvms [1]. I'm positive, things will improve [2] even if slowly because Android, at this point, is the most widely distributed OS and they can't move as fast anymore without hurting developers and users.

Google did implement what they call AppOps (2013) which paved for tremendous amount of user control over app permissions. They removed AppOps citing that it was never meant to be used by end-users but by AOSP and app developers [3].

Fortunately, if Android is rooted, one can use AppOps [4]; but then rooting exposes one to an incredible amount.

Besides, there are LittleSnitch-esque firewalls for both root and non-root devices [5].

[0] https://arstechnica.com/information-technology/2011/11/mobil...

[1] https://youtu.be/edqJSzsDRxk

[2] https://android-developers.googleblog.com/search/label/Secur...

[3] https://www.zdnet.com/article/google-removes-awesome-but-uni...

[4] https://github.com/MuntashirAkon/AppManager

[5] https://awesomeopensource.com/projects/android/firewall


How is the average user expected to use adb and Android Studio to identify & remove malware from their phone?

Android security is broken.


You are supposed to debloat all the malware that comes with your phone, courtesy of the manufacturer. If you are not capable of that, or don't care enough to have someone do it for you, you'll have to get used to ads. Annoying ads are considered a feature on stock Android builds.


Installing an app that pop-up ads isn't malware. The security model worked just fine.


What surprised here is that Android doesn’t have a native QR scanner. I’ve always assumed that iOS was late to the game and that Google Search/Lens handled QRs since 1999. Is that not the case (anymore)?


My Huawei phone actually does come with a QR scanner. You just have to open the built in camera app, then click this icon[0]. It defaults to the translator camera, which I find really that you can just point at text and it translates it on your screen. Then there's a picture of a square with a line down the center that turns on the QR scanner.

As you can imagine, when all the covid checkins started, I couldn't find this. Everyone would say to me "just open the camera on your iPhone it's easy" as though it was a given that every visitor was using an Apple phone.

I went through three different QR apps based on what I found on the play store and all of them blasted me with inappropriate ads I kept wishing I didn't open in public. A bit if visibility in the UX would have solved this.

[0] https://ibb.co/L5XG21G


The versions of Android that vendors ship usually have a QR scanner. For example, Samsung's camera app reacts to them by default. I don't think AOSP has a QR reader, but Lineage OS ships a camera that reads them.


I'll add that even though most phones have some sort of built-in reader, there are many reasons a developer would want to use a standalone reader. The Samsung reader launches URLs (99% of QR codes I encounter), and it understands Text and VCARD as well, but I don't know that it understands all kinds of arbitrary or custom QR codes you might want to define.


It's in the Google Lens app on my Pixel 5.


The issue is that some malware installed itself with the name QR scanner, not that Android does or doesn't have a QR scanner. Most Android camera apps (each phone comes with its own) will recognise QR codes fine, although the UI is sometimes annoying.


If Google removed it from the Play store, why don't they have a way to tell people that an app they have installed has been detected as malware and prompt them to remove it?


Blockada has a nice Hostlog view to show requests in real time. Have caught websites I thought I had blocked this way. Wish it would tell me which App made the request.



Coincidentally, I was trying to download a qr code scanner app on my new phone the other day, and looking at the listing, trying to discern which ones were going to be overly greedy with permissions and ad spam lead me to immediately installing f-droid again. originally i hadn't planned to bother with it, but man the google play store is in really bad shape. and advertised apps are just a stupid concept that needs to die.


I really wish there was more granularity to the permissions. For the vast majority of apps, I don't want them to be able to use the internet. Seems pretty basic (other than the fact that is threatens the whole Ad ecosystem...)

Would be cool too if there was a shared file space for apps... And apps had to stay within that pen. Giving them access to all your phone's files is just wreckless. But I don't have the choice.


> I started by inspecting the list of recurring tasks, but the output was so voluminous that finding anything useful was a dim prospect.

Sometimes I phantasize about a novel computer or phone, where you can "physically" inspect the running (non-OS) applications. On a phone, you'd have a glowing edge where each light or micro display corresponds to one application. You can only ever have 6 or so apps running at the same time. If an app launches a lot in the background, you'd notice it quickly from the new color blinking. On a desktop PC or a server, maybe you'd even have a little door in the case, and behind it a bunch of little OLED displays that replace the task manager. With a click of a physical switch, you could evict an application from memory automatically.

Of course this would be unpractical for a lot of reasons, and you'd have to trust the OS/firmware. But I like both ideas of understanding what the PC is doing, and adding back a tactile element to computing.


About QR code, isn't that the sort of thing that would be super more efficient to do in hardware at the camera chip level?

This makes me think that it would be nice to be able too load "camera sensor scripts" in a similar way to GLSL for GPU, for filtering and analysis using hardware. (it might be possible, I am not an android developer)


> Google Play Protect was also completely unhelpful, which was a big disappointment.

Google Play Protect performs notoriously poorly compared to dedicated malware apps:

https://www.tomsguide.com/reviews/google-play-protect


Yeah, looking at the AVTEST.org results, it has generally appeared Google would've been better off buying a no-name competitor's app rather than trusting their own engineers to implement security software: https://www.av-test.org/en/antivirus/mobile-devices/android/...


Oh I'm so glad this has been posted!

I've been a victim of that specific malware and I was wondering how on earth did it happen as I'm usually careful enough when it comes to security. I also had the barcode scanner app. I didn't go as far as the author and I did a factory reset.


Play store should allow to filter by license and anti-features. That would make it as usable as f-droid.

As an example: try to find a non-ad-infested flashlight app on play store, then try to find a single ad-infested flashlight app on f-droid.


As sad as the incident is: I am glad he is still committed to Android after being a team member and therefore equipped with a deep understanding about the platform and architecture itself.


Scary. Is there such a thing as a malware scanner on Android? Are they effective or worthwhile at all? Why isn't Apple susceptible to this type of malware, seemingly?


A malware scanner won't find an app that you gave permission to show on-top on other apps and use this to show ads. It is not doing anything it isn't allowed to do.


Every native app can be hacked, or sold, to a malicious actor that will then make your phone theirs.

Reduce the attack surface as much as you can!


Can you explain how you managed to install malware while unlocking your bootloader? The only two methods for unlocking I've ever used are OEM applications like Odin for older phones and simple ADB commands for newer ones, neither of which put you at particular danger from malware.


He didn't. It was just an app that was updated and started showing ads. Not malware as it cannot access anything but still annoying.


Ah. The way he worded his introduction made it seem like "two mis-taps" during the unlock process installed adware on his device.


a not so obvious protip: you usually don't even need a "qr reader app" modern phone camera apps will pop the link without having to install extra stuff.


[flagged]


All I see is hunter2.


test failed


It’s a joke that this happened. And even worse that he considered installing “malwarebytes”, one of those things that smell of windows 98 shareware, to fix it. This is why I buy iPhone.


If you install an app on iPhone that is allowed to make pop-ups and it shows ads in those pop-ups you get the same situation as here. This wasn't malware as it couldn't access anything except itself.


The article says the app kept opening new browser tabs on chrome while the app itself was not on the foreground. That’s impossible on iPhones


I've switched to Android (Huawei) 2-3 years ago (after the Apple battery fiasco). I keep installed (and updated) the NoRoot Firewall app, which by default blocks all access.

I also added to my mix the Nova Launcher. It makes it easier to tap&hold an app icon, gives you a quick shortcut straight to the specific app's Settings --> Apps --> specific app's properties, in which I (usually) block access to data/wifi/roaming/background (e.g. for a QR Code reader app).

90% of my apps do not need to reach out to the interweb, and I block them both on Settings as well as Block Data/Wifi on NoRoot Firewall.

Although Huawei is beeing Huawei-ing (some sneaky apps are running).. I do like the interface into "Manually" managing backround running (battery), internet access.


I'm not trying to be facetious or rude, but that seems like a massive decision against something that was largely fixed? I can understand if you had software-problems with iOS but I didn't see that in your comment.

Managing those kinds of blocker apps, and security and such are all great when you're 'in the zone' and have it fresh at the forefront of your thoughts. For me, it only takes a week or so of not thinking about it before my standards slip and I have Just Another Application™ running.


> you had software-problems with iOS

I didn't have any probs with sofrware while using iPhones. I was jailbreaking them, installing a similar firewall and had my mind at ease. I would go to Apple in a heartbeat if they stopped lying and allowed rooted/jailbroken phones.

It is nice to see that on a comment 95% on Android people still downvote me for (justifiably) trashing Apple. They got caught cheating. Then they got caught lying. Then they were found guilty. Apple fanboys are having a party downvoting. Fun fact: "HN karma" is virtual, while the $1k that they pay Apple every year is a REAL number. Keep rocking folks. I guess when someone spits on your coffee you downvote the commenter and keep going back to the same coffee place, right? (https://bgr.com/2020/07/13/iphone-batterygate-lawsuit-settle...)

> and I have Just Another Application™ running

this is absolutely normal/logical. A friend suggested the 7min workout by Johnson & Johnson. Nice app, free, has these simple 7mins workouts, also has warm-up/cool-down if you want the extra 7-8mins.. very nice. Loving it.

It doesn't need internet connection to fully operate (workouts). I don't need it to "back up my progress in their cloud". So it stays offline (forever). It takes 1min when I install that new/extra app to bolt it down and have it behave just as I want (and does not disrupt me with notifications or leak data or kill my battery).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: