Incident: CamScanner Android App Contained Malware Impacting Over 100 Million Users

Published Date: 2019-08-28

Postmortem Analysis
Timeline 1. The software failure incident of the CamScanner app sending malware to phones happened recently as per the article, but the exact date is not mentioned [88412].
System 1. CamScanner Android app containing malicious code in the part that delivers ads [88412]
Responsible Organization 1. Third-party code used to serve ads within the CamScanner app [88412]
Impacted Organization 1. Android users who downloaded the CamScanner app, as it was found to contain malware [88412].
Software Causes 1. The software cause of the failure incident was the presence of malicious code in a recent version of the CamScanner app, specifically in the part of the app that delivers ads [88412].
Non-software Causes 1. The presence of malicious code in the CamScanner app was attributed to third-party code used to serve ads within the app [88412].
Impacts 1. The presence of malware in the CamScanner app could have potentially exposed users to intrusive ads or allowed for the snooping of login credentials [88412]. 2. The free version of CamScanner for Android was removed from Google's Play Store in the UK as a result of the incident [88412]. 3. Users were advised to delete the CamScanner app and wait for a new version without the malicious code, or use anti-virus apps to check for any installed malware [88412].
Preventions 1. Regular code reviews and audits of third-party code used in the app could have potentially prevented the inclusion of malicious code in CamScanner [88412]. 2. Implementing stricter security measures and vetting processes for third-party libraries or code integrated into the app could have helped in detecting any malicious code before it caused harm [88412]. 3. Conducting thorough security testing, including penetration testing and vulnerability assessments, on the app before each release could have identified the presence of malware in CamScanner [88412].
Fixes 1. Removing the malicious code from the app by releasing a new version without it [88412]
References 1. Kaspersky researchers [Article 88412]

Software Taxonomy of Faults

Category Option Rationale
Recurring unknown (a) The software failure incident related to the CamScanner app sending malware to phones has not been reported to have happened again within the same organization (CamScanner) as per the provided article [88412]. (b) The article does not mention any similar incident happening at other organizations or with their products and services related to the malware issue in the CamScanner app [88412].
Phase (Design/Operation) design, operation (a) The software failure incident in the CamScanner app was related to the design phase. The app was found to contain malicious code in the part that delivers ads, which could have potentially shown intrusive ads or snooped on login credentials [88412]. (b) The software failure incident in the CamScanner app could also be related to the operation phase. Users who had automatic updates enabled for their apps might have unknowingly downloaded a version of CamScanner containing malware on their devices. This highlights the importance of user operation and the potential misuse of the app leading to security risks [88412].
Boundary (Internal/External) within_system, outside_system The software failure incident involving the CamScanner app can be categorized as both within_system and outside_system: (a) within_system: The failure within the system is attributed to the presence of malicious code within the app itself, specifically in the part of the app that delivers ads. This malicious code was identified by cyber-security researchers at Kaspersky within the app's codebase [88412]. (b) outside_system: The failure originating from outside the system is related to the third-party code used to serve ads within the app. The snippet of malicious code found in CamScanner was identified as third-party code, indicating that the source of the issue was external to the app's core development [88412].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the CamScanner app was due to non-human actions. Specifically, it was reported that the malicious code was found in the part of the app that delivers ads, indicating that the malware was introduced through third-party code used to serve ads within the app. This suggests that the failure was a result of contributing factors introduced without human participation [88412]. (b) On the other hand, human actions were involved in addressing the software failure incident. CamScanner released a new version of the app with the malicious code removed after the issue was identified by cyber-security researchers. Users were advised to delete the app and wait for the new version to be launched and tested by cyber-security researchers. Additionally, users were recommended to use anti-virus apps to check for any malicious software that might have been installed, indicating human actions taken to mitigate the impact of the failure [88412].
Dimension (Hardware/Software) software (a) The software failure incident in the CamScanner app was not due to hardware issues but rather due to the presence of malicious code in the software itself. The malware was found in the part of the app that delivers ads, indicating that the failure originated in the software [88412].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case is malicious. The CamScanner app was found to contain malicious code in the part of the app that delivers ads, which could have allowed for the display of intrusive ads or snooping on login credentials. This indicates that the failure was due to contributing factors introduced by humans with the intent to harm the system [88412].
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident related to the CamScanner app sending malware to phones can be attributed to poor decisions made by the developers or those involved in integrating third-party code for delivering ads within the app. The malicious code found in the app was not a result of accidental decisions but rather a deliberate inclusion of code that could potentially show intrusive ads or snoop on login credentials [88412].
Capability (Incompetence/Accidental) accidental (a) The software failure incident in the CamScanner app was not due to development incompetence but rather due to the presence of malicious code introduced by a third-party ad-serving component. The article mentions that cyber-security researchers at Kaspersky found that a recent version of CamScanner contained malicious code in the part of the app that delivers ads, indicating that the malware was not intentionally introduced by the developers of CamScanner [88412]. (b) The software failure incident in the CamScanner app was accidental in nature. The article highlights that the malware found in the app was not intentionally introduced by the developers but was present in a third-party code used to serve ads within the app. This accidental inclusion of malicious code led to the failure incident where users' devices could potentially be affected by intrusive ads or credential snooping [88412].
Duration temporary The software failure incident related to the CamScanner app containing malware can be categorized as a temporary failure. The incident was temporary because it was caused by the presence of malicious code in a recent version of the app, specifically in the part that delivers ads. This indicates that the failure was due to contributing factors introduced by certain circumstances (malicious code being inserted into the app) but not all circumstances. The issue was addressed by releasing a new version of the app with the malicious code removed, indicating that the failure was not permanent [88412].
Behaviour value, other (a) crash: The software failure incident in the CamScanner app was not a crash where the system loses state and does not perform any of its intended functions. Instead, the issue was related to the presence of malicious code in the app that could potentially show intrusive ads or snoop on login credentials [Article 88412]. (b) omission: The incident did not involve the system omitting to perform its intended functions at an instance(s). It was more about the presence of malware within the app that could compromise user data and privacy [Article 88412]. (c) timing: The failure was not related to the system performing its intended functions correctly but too late or too early. It was more about the presence of malicious code within the app that could lead to privacy and security concerns for users [Article 88412]. (d) value: The software failure incident was due to the system performing its intended functions incorrectly, as it contained malicious code that could potentially show intrusive ads or snoop on login credentials, compromising user privacy and security [Article 88412]. (e) byzantine: The incident did not involve the system behaving erroneously with inconsistent responses and interactions. It was more about the presence of malicious code within the app that could potentially compromise user data and privacy [Article 88412]. (f) other: The behavior of the software failure incident in the CamScanner app can be categorized as a security breach caused by the inclusion of malicious code in the app, leading to potential privacy and security risks for users [Article 88412].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence harm, property (a) death: People lost their lives due to the software failure (b) harm: People were physically harmed due to the software failure (c) basic: People's access to food or shelter was impacted because of the software failure (d) property: People's material goods, money, or data was impacted due to the software failure (e) delay: People had to postpone an activity due to the software failure (f) non-human: Non-human entities were impacted due to the software failure (g) no_consequence: There were no real observed consequences of the software failure (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? The consequence of the software failure incident in the CamScanner case was mainly related to potential harm and property impact. The malware found in the app could have potentially shown users intrusive ads or snooped on login credentials, leading to a risk of harm to users' privacy and security [88412]. Additionally, users who had the app installed were advised to delete it and wait for a new version, indicating a potential impact on users' trust and reliance on the app for document scanning purposes, which could be considered a property impact.
Domain unknown (a) The software failure incident involving the CamScanner app does not directly relate to the production and distribution of information industry. (b) The incident does not involve transportation services. (c) The incident is not related to the extraction of natural resources. (d) The incident does not involve sales transactions. (e) The incident is not related to the construction industry. (f) The incident does not involve manufacturing products. (g) The incident is not related to utilities services. (h) The incident does not directly involve financial transactions. (i) The incident does not relate to knowledge, education, research, or space exploration. (j) The incident does not directly involve the health industry. (k) The incident does not relate to the entertainment industry. (l) The incident does not involve government services. (m) The software failure incident involving the CamScanner app is related to the software industry, specifically the mobile application sector, where the app was intended to support users in scanning documents and converting them into PDFs. The failure occurred due to the presence of malware in the app, affecting over 100 million Android users [88412].

Sources

Back to List