This week, it was uncovered that a Google Play Pass app with over 10 million installs turned into malware and distributed pesky popup advertisements. Google already long removed this app from the Play Store, but due to its generic name — "Barcode Scanner" — the original, legitimate Barcode Scanner app bearing the same name found itself caught in the crossfire and received numerous unwarranted 1-star ratings accusing it of being malware.


Left: The removed malicious app. Right: The legitimate app.

Many people who were infected by the malware and identified the malicious Barcode Scanner app as the culprit probably took to the Play Store for a review right after uninstalling, but because the malicious scanner app was already removed, they only found the legitimate Barcode Scanner listing and assumed this was the one that caused their woes. They probably didn't notice that this app is open source and hasn't been updated since 2019 — both factors making it unlikely that it would push malware all of a sudden. In fact, this legitimate Barcode Scanner was developed by Googlers and is built on top of Google's QR Code decoder library ZXing — hence the developer name ZXing Team. The app was even one of the first to ever be available in the Android Market (now Play Store).

Following our coverage and the Malwarebytes report, the legitimate Barcode Scanner app actually received far fewer 1-star releases, as it probably became clearer that the ZXing Team application wasn't the culprit. That's why you see an influx of 5-star ratings defending the app and confirming that it doesn't distribute malware.

When we tested XZing Team's Barcode Scanner for ourselves, we couldn't find any weird or suspicious behavior, though we did notice how outdated the app is nowadays. It still relies on Android's old permission system and comes with a warning that it was built for an older version of the OS and might not work properly. We can only hope that Google will restore the ratings for the app, but given that it's still sitting at a comfortable 4-star average and isn't actively maintained anymore, the question is open if Google is even interested in righting this wrong.

If you're still looking for a replacement for the malicious Barcode Scanner, we can only keep recommending Google Lens, which is built into the Google app and pre-installed on all Android phones already anyway (the "app" you can download from the Play Store is just a shortcut for your launcher).