Kaspersky researchers reported that the app in question was CamScanner, "a phone-based PDF creator that includes OCR (optical character recognition).”
The report notes that CamScanner was a legitimate app with no malicious intentions. Like other applications, the developers displayed ads and offered in-app purchases to make money. “However, at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module,” writes the researchers.
A “Trojan Dropper,” which Kaspersky Lab researchers named Trojan-Dropper.AndroidOS.Necro.n, was added to the app. It doesn't perform any malicious functions on its own but is used to download other types of malware, such as those that show intrusive ads, sign-ups for fake subscriptions, or ones that steal banking details. The Kaspersky team says this specific type of Trojan Dropper has been seen before “in some apps preinstalled on Chinese smartphones."
Some users of the app had noticed the suspicious behavior and left reviews on Google Play warning others to avoid CamScanner. While it appears the developers got rid of the malicious code in the latest version, Kaspersky notes that versions of the app vary for different devices, and some of them may still contain malicious code.
Earlier this month, Google removed 85 adware-infested apps from the Play Store that had over eight million installs in total, and back in November last year, over 500,000 users installed malware-ridden apps from a single creator.