Google's reign over the Play Store often feels arbitrary, with legitimate apps disappearing for bogus reasons like out-of-context words or images while malware is striving. Another case has surfaced of an app turning into malware right under Play Protect's nose, and this time, the perpetrator is a Play Pass app with over 10 million installs: The generically named Barcode Scanner app. It has been removed since its discovery, but the developer's account remains active and offers other applications.
Security company Malwarebytes writes that some of their forum users reported strange behavior with their browser opening a scary website telling them to install a Cleaner app for their phone due to bogus security issues. It took some time to find the culprit, since many people have had Barcode Scanner installed for years and never had any issues with it. But when Malwarebytes examined Barcode Scanner's latest release that found its way on phones via auto update, it found some obfuscated code that turned out to be a trojan responsible for opening the browser and the scary-looking website.
A screenshot of the Play Store listing saved to archive.org, showing the app was part of the Play Pass before it changed hands.
Barcode Scanner was inconspicuous for years, and judging from a snapshot of the app's Play Store listing from November 2020, it was even part of Google's official Play Pass program that offers subscribers some perks like ad-free or premium versions of apps at no additional cost. It looks like Barcode Scanner was owned by another developer than today back then, who still seems to offer a similar or older version of the same app, "barcod scanner," last updated in August 2020. It's highly likely that the malware was only introduced after the app changed hands. Before its removal from the Play Store, it was last attributed to developer LAVABIRD LTD, which still offers a selection of other apps to this day.
The situation is quite reminiscent of last week's The Great Suspender removal. Google kicked off the popular browser extension from its web store after malware accusations, but there's a key difference. While The Great Suspender was automatically disabled and removed from all browsers, Barcode Scanner remains on phones it's been installed on earlier.
To find out if you've got this particular barcode scanner on your phone (there's a whole sea of similar, legitimate apps that are not to be confused with this one), download an app like AppChecker and search for "barcode scanner." If a result with a package name matching "com.qrcodescanner.barcodescanner" shows up, delete that app. You can also try and see if Barcode Scanner's Play Store link is still active for you on your phone.
As an alternative, we can only recommend using Google Lens since it's pre-installed as part of the Google app on all Android phones already anyway (The linked Play Store app is just a link to the relevant part of the Google app for your homescreen).