Nathan Collier of Malwarebytes:
Late last December we started getting a distress call from our forum patrons. Patrons were experiencing ads that were opening via their default browser out of nowhere. The odd part is none of them had recently installed any apps, and the apps they had installed came from the Google Play store. Then one patron, who goes by username Anon00, discovered that it was coming from a long-time installed app, Barcode Scanner. An app that has 10,000,000+ installs from Google Play! We quickly added the detection, and Google quickly removed the app from its store.
The basic premise of corrupting a straightforward utility app is not new, but it is concerning. In 2018, Craig Silverman of Buzzfeed News revealed that an entire company with the unsubtle name We Purchase Apps acquired over a hundred of them to execute an ad fraud scheme on Android. Becky Hansmeyer wrote about how an iOS wallpaper app was flipped to another developer that packed it full of ads. Browser extensions are another popular vector, particularly for analytics companies that want to spy on users’ browsing. A particularly aggressive Chrome extension generated a 2016 FTC investigation.
Update: Google recently pulled another Chrome extension after its new owners added malware.