One of the first Android apps — ZXing Team’s Barcode Scanner, an app that predates the first official release of Android itself — is currently getting review-bombed on the Google Play Store. Hundreds of users are leaving 1-star reviews claiming a recent update hijacks your browser to spew unwanted ads, while nearly 200 more have come to the app’s defense with 5-star reviews of their own.
It’s not quite clear what’s going on here, but the prevailing theory is that the 100 million-download strong app is getting mistaken for another one with the same exact name — one that might have been a clone of ZXing’s app and one that did add malware in a recent update, according to digital security firm MalwareBytes.
MalwareBytes seems to be aware of the confusion; it updated its original post yesterday to be extra clear that the bad barcode scanner app was this one, which came from a company called Lavabird, not ZXing Team. Google removed that app from the Play Store, so it wouldn’t be surprising if angry users searched for it and found the wrong one.
The sudden attention surprised the original app’s co-creator, Sean Owen, who tells The Verge that he’s not worried about his reputation — simply because of how ridiculous he thinks the claims are.
“[T]his is such an old well-known app that I think anyone informed would guess it can’t be this app: it’s open source, for one. It hasn’t been updated in years. And there’s just no motive, to make an app for 13 years just to stick malware in at the end is an implausibly long game,” he says. The Google Play Store shows the app was last updated in February 2019.
“an implausibly long game”
But he also isn’t ruling out the possibility that his code is being manipulated somehow, perhaps by hijacking the intents system that Android uses to let one app hand off tasks to another. “Many people claim it’s ‘definitely’ this app in a way I hadn’t seen before — and I’ve read thousands of comments over the years — so, who knows?”
Owen says he and his co-author Daniel Switken now regret their decision to make the app open source back in the day because of all the times it’s been cloned by companies trying to make a quick buck by adding ads or skins. “For a time we pursued some of the larger ones for OSS license / trademark problems, but, that was fewer than 10 out of the 100s I saw even many years ago,” Owen says.
This isn’t the first time his app has been mistaken for a bad clone, he says. “At some point a research paper claimed this app was phoning personal info to a third party site, and that caused another wave [of bad reviews], but, naturally the authors found they’d mixed up two similar apps.”
I redownloaded the OG Barcode Scanner app today for the first time in many years. When I launched it, the app warned me that it “was built for an older version of Android and may not work properly,” and I found it only works in landscape orientation. But I saw no ads, it sure scanned barcodes fast, and I haven’t seen any pop-ups or browser hijacking yet.
Right now, ZXing Team’s Barcode Scanner app sits at a solid 4.0 stars with nearly 640,000 reviews. Google hasn’t yet commented about how it might handle the negative reviews.