An Update Turned This App Into Malware. Were You Affected?

Popular Barcode Scanner App Turns Malicious, Affects Millions

A once-trusted barcode and QR code scanner app has turned on its users, compromising nearly 10 million devices.

Lavabird Ltd’s Barcode Scanner gained popularity on the Google Play Store as a go-to solution for Android users. Unlike Apple’s newer devices, Android phones don’t come with built-in QR code or barcode scanning capabilities, making apps like Lavabird’s essential for many consumers. For years, the app maintained a clean security certificate, earned thousands of positive reviews, and showed no signs of malicious code.

Security-conscious users trusted the app—until a routine update transformed it into malware.

Malwarebytes Identifies the Threat

In late December, Malwarebytes, a cybersecurity company focused on malware detection and prevention, started receiving complaints from users. These users reported that their devices began launching ads automatically through the built-in internet browser.

This behavior resembled “malvertising”—a form of malware usually linked to newly installed apps. However, affected users hadn’t downloaded any new apps recently. Malwarebytes eventually traced the source of the infection to Lavabird’s Barcode Scanner, which had been operating safely on devices for years.

Removing the App Removes the Threat

Fortunately, uninstalling the app appears to eliminate the malware. However, the bigger concern lies in how easily an app built up trust, only to later deliver a malicious update without raising red flags.

For today’s consumers, checking reviews and permissions before downloading an app no longer offers sufficient protection.

How to Protect Yourself and Your Devices

Start by reviewing the apps on your phone. Delete any that you no longer use, and keep an eye out for unusual behavior after installing or updating an app.

If you manage a business and issue work phones to employees, consider restricting app downloads and updates. Doing so gives you more control over device performance and security.

Need help creating a mobile device security strategy for your organization? Reach out to us at info@optfinITy.com—we’re here to help.