This module — identified as Trojan-Dropper.AndroidOS.Necro.n — is a trojan dropper, meaning it can extract and run a second malicious component encrypted within the app. This trojan downloader can be leveraged to infect the devices with other kinds of malware.

Kaspersky researchers found that when CamScanner is run, the dropper decrypted and executed malicious code contained in a “mutter.zip” file within the app, before downloading encrypted code from a command-and-control server “https://abc.abcdserver[.]com.”

“The above-described Trojan-Dropper.AndroidOS.Necro.n functions carry out the main task of the malware: to download and launch a payload from malicious servers,” the researchers said. “As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.”