CamScanner app infected by Trojan Dropper malware

One of the most popular scanner app ,creator for Android phone was CAMSCANNER. Its as phone based PDF creator which has Optical Character Recognition system. As per Google PlayStore its has more than 100 millions of downloads. Google PlayStore is offten reccomended for Android users as a safest source to download mobile apps, but somewhere it was written that “Nothing is 100% safe in this world”.
Its the job for Google PlayStore moderators to thoroughly check the apps for vulnerability , safety of both users and Google servers but there are more than thousands of apps are uploaded daily on PlayStore and its not that possible to check thoroughly each and every apps, they just check the modules and basics and we can’t blame Google on such incident but yes as a host of the apps they should have a severe eye because ‘Google’ is the brand which every android users trust.
Initially CamScanner was an legit pdf creator with no malicious modules was found at that time , but steadily they made modifications such as app monetizations after that in-app purchase for extra enabled features and it was consent. But in the recent updates they have broadcasted a new version injected a malicious module of advertisement library, consists 

Trojan-Dropper.AndroidOS.Necro.n,which is also known as Trojan Dropper, which as previously found in the Chinese Smartphones.

How does CamScanner Trojan works?
This Trojan run an another module from an encrypted file stored in the recourse of the app. Then app will show intrusive adds and force sign up users for paid subscriptions and many other behaviours as per the multiples modules which was downloaded by the Trojan dropper. Well lets get in more technical way.
The main job role of the module “ Trojan-Dropper.AndroidOS.Necro.n “ is to download and lunch the payload from the external malicious servers. After successfully delivery of payload the developer or the owner of the module can use the infected android device in their own way in which they can be benefited, such as they can show the users some intrusive ads, then they can steal money from the user’s account by using intrusive ads into forced paid subscriptions .
Servers from where Malacious modules are downloaded

“server”: “https://abc.abcdserver[.]com:8888”,    
“default”: “https://bcd.abcdserver[.]com:9240”,

    “dataevent”: “http://cba.abcdserver[.]com:8888”,
    “PluginServer”: “https://bcd.abcdserver[.]com:9240” 

The piece of malicious codes


Leave a Comment

Your email address will not be published. Required fields are marked *