Apps I download from Apple’s iTunes or Google’s Play Store are safe, right? Well, usually. However, here at Symphony Systems we’re always on the lookout for the exceptions, and here’s the latest one.


Who discovered what and when?

Security researchers at Kaspersky announced no more than 24 hours ago the discovery of malware in the very popular CamScanner document and business card scanning app for the Android mobile operating system. This app already had over 100 million downloads (no, that’s not a typo). It was, by many accounts, a very good business card scanner, providing accurate scans and some nice features. It performed well in our testing at Symphony Systems when we compared several mobile document scanner apps a few years ago. Further, it did not, as far as we can tell, include any malicious code for years. However, versions of the app that do include malware started appearing in Google’s Play Store several weeks ago, which illustrates why it’s so important to apply intelligent security to the management of mobile devices. (We can help with that, but you probably figured.)


What does the malware do?

The malware that was present in several recent versions of the app is one of the scarier kinds of malicious code. Instead of just spying on you (Did you say “just” spying?) or stealing your information, it checked in now and then with a server run by bad guys for instructions for it to follow and to download additional malware onto your device. That gives this malware a lot of latitude. It can do pretty much whatever it wants on your device because it’s not constrained to doing only what it was created to do at the start. Very bad news.


What should I do now?

This app’s vendor, INTSIG, has demonstrated who they are and what they are willing to do to you. Remove this CamScanner and its sibling apps, CamCard and CamCard for Salesforce, from your devices immediately. If you opened an account at their website to use any of the features that require that, log in and delete any information you’ve stored there. If you’ve used the same password at their website as you’ve used at other services (a no-no we’ll talk more about some other time), make sure you change your passwords at the other services.


What app should I use now?

There are lots of good document and business card scanner apps on the market, many free and the rest cheap. If you want to scan business cards and typical business and personal documents and create tight, small PDF files from them, a good bet is Mobile Doc Scanner (MDScan) Lite by STOIK Soft, which is free, or its big sibling Mobile Doc Scanner (MDScan) + OCR that adds a nice list of additional features for just five bucks. This app’s user interface isn’t the prettiest, but it does a lot, produces very small PDFs, and just works. Other good options are ABBYY Business Card Reader, ScanBizCards, Sansan, CardHQ, and Zoho Card Scanner. For document scanning, ABBYY FineScanner, Microsoft Office Lens, Adobe Scan, Scanbot, Tiny Scanner, FineScanner, and Genius Scan are good options. You might already have an app on your mobile device that does these things. For example, if you use OneDrive or OneDrive for Business, the latest version of the OneDrive app can scan just fine.


A Little More Background Info

A couple thoughts on INTSIG: If you’re familiar with government or military jargon, that company name might strike you as interesting, to say the least, being just a jumble away from SIGINT, short for signals intelligence, a term used to refer to gathering intelligence derived from electronic signals and systems. INTSIG appears to be owned by CC Intelligence Corporation, which is based in Shanghai, China, the Milpitas address listed on the company’s website notwithstanding. CC Intelligence Corporation also offers products and services in areas such as bank card recognition, passport recognition for industries such as banking, securities, supply chain, and the government sector. (Would you trust them with these things?) Their domains are registered through HiChina, the largest domain registration service and web hosting service company in China, and now owned by the massive Chinese conglomerate Alibaba Group.


For the record, CamScanner’s developer has stated that the malicious code in their app got there through a third-party advertisement SDK (a tool that programmers use to work more efficiently and access third-party services). They claim they are going to take legal action against this other company and that they have not found evidence of any data leaked from their app. None of this can be independently verified.


I have questions!

One thing we can verify, however, is that mobile security is important. Consider all the confidential information stored on and flowing through your smartphone, and you’ll understand why we’re concerned. Questions? If you already work with someone at Symphony Systems, reach out to that person for advice and guidance specifically tailored to your organization’s needs. If we don’t already know you, we’re still just as happy to help. Drop a note to [email protected] or call (847) 864-1887.