Its time to uninstall the CamScanner App from your Android Phone.
Yes, dangerous malware component found in popular phone PDF creator app “CamScanner” that downloaded over 100 million Android users from Google Playstore.
CamScanner is one of the most popular documents scanning apps that convert any printed document to a PDF file, and the app developed and maintained by INTSIG Information Co., Ltd.
Security researchers noticed that there are some negative comments have been posted in the Google play store, in which the users started complaining that the app delivering unwanted futures to their Android phone.
In further analysis revealed that the CamScanner advertising library contains a malware component that can perform various malicious activities in the infect users Android phone.
Infection Process
While the app running on the Android device, CamScanner using 3rd party advertising library that drops a malicious code with the help of the trojan dropper
In the next steps, a configuration file called “comparison” is decrypted and it reveals the configuration with the addresses of the attackers’ servers.
Later it downloads additional modules from the command and control server and executes the code to download and launch the payload from the malicious server.
Malware motivation believed to silently take control of the victims Android devices and stealing money by delivering aggressive advertising and encourage users to subscribe to the paid utilities.
Researchers from Kaspersky detected this malware as Trojan-Dropper.AndroidOS.Necro.n. and reported to Google.
Now the app is removed from Google Play store, but still millions of users are not aware of its malicious activities and keeping the malicious version in their mobile.
The CamScanner app is available from 3rd party app store and the developers advertising in the various forum and some of the popular blog.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and Hacking New updates.
Indicator of Compromise
MD5
7b7064d3876fc3cb1b3593e3c173a1a2
b6656bb8fdfb152f566723112b0fc7c8
d3ccb1b4feea5fee623fad5c5948b09b
7186f405f82632f45ad51226720a45b5
9d6439756af0686974ac9f920d56dd39
10573004477fb4a405d41d6ee4dbdd64
e8d361827438873ae27ac5200f3f91be
85c96e359dd48bb814e2ddf34bc964fa
cdf045f1d96fae53d3986b985d787b59
9fbc7c3c3326bfc710f9b079766cf85c
2087986583416f45ae411ebd8c5db8aa
a1b3551ec1dcdce7ac2655994697a02d
d0ae4282d629518458fb5ca765627a71
d28ec38edda65324299fc0dcddca9740
2e9eef8b88bf942e416ed244a427d20c
45fac5ad7be24f5110c5e77c2a7a42f6
5d52373b32cbcfdfb25dd20d267b5186
66db48ce2ff503a27cb9c1617e9a2583
bcbf463050a0706b008e21a846b3185e
19c6604f18d963f0320d8ddee98a9fd0
44196cbce4e57e60443a9c19281e532f
1807f8d8e711fd12a6127455afe98e85
3e3db74a1ee8da53f05b61dde65a95b3
170646ee90094db9516ca4a054bf2804
da953233a618570336e2e5ddd6464e67
c69a2d2b0bf67265590c9be65cd4286b
96db624fa2532d14dd43c7ad3124c385
d07846903cb78babac78f0dd789d262e
a02811248a0d316a1f99d07e60aa808e
74709014aa553b92fe079cf8941d64f6
f8b8fd44952ca199d292570ff6da5e8f
9eff49dc969eea829e984bad34b7225c
5bf2d280557e426e90c086fb89dc401f
e7705517e9e469921652ad33f87d7c22
dbb53ee8229cf4e8ae569a443bcd59d3
3d37fbbffc45b7ca11e20ed06cc2f0f6
ec11fb61eababc7586e1874c92f7629e
b5c7b67e9650bf819b70d2c0a5ca7c63
7b7064d3876fc3cb1b3593e3c173a1a2
b6656bb8fdfb152f566723112b0fc7c8
d3ccb1b4feea5fee623fad5c5948b09b
7186f405f82632f45ad51226720a45b5
9d6439756af0686974ac9f920d56dd39
10573004477fb4a405d41d6ee4dbdd64
e8d361827438873ae27ac5200f3f91be
85c96e359dd48bb814e2ddf34bc964fa
cdf045f1d96fae53d3986b985d787b59
9fbc7c3c3326bfc710f9b079766cf85c
2087986583416f45ae411ebd8c5db8aa
a1b3551ec1dcdce7ac2655994697a02d
d0ae4282d629518458fb5ca765627a71
d28ec38edda65324299fc0dcddca9740
2e9eef8b88bf942e416ed244a427d20c
45fac5ad7be24f5110c5e77c2a7a42f6
5d52373b32cbcfdfb25dd20d267b5186
66db48ce2ff503a27cb9c1617e9a2583
bcbf463050a0706b008e21a846b3185e
19c6604f18d963f0320d8ddee98a9fd0
44196cbce4e57e60443a9c19281e532f
1807f8d8e711fd12a6127455afe98e85
3e3db74a1ee8da53f05b61dde65a95b3
170646ee90094db9516ca4a054bf2804
da953233a618570336e2e5ddd6464e67
c69a2d2b0bf67265590c9be65cd4286b
C2 servers
https://abc.abcdserver[.]com:8888
https://bcd.abcdserver[.]com:9240
http://cba.abcdserver[.]com:8888
https://bcd.abcdserver[.]com:9240
Also Read:
Malware-as-a-service – Adwind Malware Attack Utilities Industry Via Weaponized PDF File
Shade Ransomware Attack Enterprise Networks through Weaponized PDF Files & Malspam Emails
Creating and Analyzing a Malicious PDF File with PDF-Parser Tool