Supply Chain Attack Trends Involving Apps and Extensions

In February, a widely used barcode scanner app on Google Play was found to have infected 10 million users with a trojan named Android/Trojan.HiddenAds.AdQR. The attack was triggered with an update that turned the app malicious while going under the radar of Google Play Protect.
While the number of infected devices exhibits the hallmark of the attackers’ ulterior motive, the compromises puzzled most users since they had not downloaded the new update, according to an analysis by Malwarebytes.

Then, where was the problem?

  • The malicious behavior came from the update to the app, which was downloaded on millions of Android phones.
  • A group of malicious publishers with an intent to cause harm had bought the code and pushed a malicious update to each user using the application.

The bigger picture

  • This supply chain attack—buying the software, along with their source code and pushing the malformed version—is a new technique that will likely grow in popularity among cybercriminals.
  • This can enable attackers to skip the scrutiny process while executing the infected software on users’ systems without their knowledge.

A glance at some similar incidents

  • In early February, Google removed the Great Suspender extension from Chrome Web Store for containing adware.
  • Users of the extension noticed in October 2020 that new owners had installed updated code on users’ systems without notification – a code that behaved similarly to adware.
  • In another incident, the China-linked TA413 threat actor group used an add-on named FriarFox to harvest data and log keystrokes from the Tibetan diaspora.

What’s more concerning?

  • A researcher’s investigation revealed that a number of malicious apps present on the App Store are hosting a variety of scams. Most of these apps followed a common formula, which includes fake reviews and ratings to boost the status on the App Store and lure in more victims.
  • One of the most prevalent suspects is an app called KeyWatch, which is a copy of the original FlickType Apple Watch keyboard typing tool.
  • The scammed apps raked in millions for criminals across the world.


By targeting legitimate and popular apps and extensions, cybercriminals have added another door for launching devastative supply chain attacks. Therefore, the companies behind the ecosystem should ensure the security checks on updates are as rigorous as on the original applications.