Cyber-security researchers at Kaspersky claim to have found a hidden Trojan Dropper module within a wildly-popular Android app, turning it into a potential spyware. According to their report, the malware is found in the free version of CamScanner, a highly-popular Phone PDF creator app with more than 100 million downloads on the Google Play Store.

The hidden Trojan Dropper was unearthed by Kaspersky following reports from many CamScanner users, who complained about suspicious behavior and left reviews on the app’s Google Play page with warnings to avoid it at all cost. Identified by the Kaspersky team as Trojan-Dropper.AndroidOS.Necro.n, the malicious code had earlier been observed in some apps pre-installed on Chinese smartphones.

According to the researchers, the malicious module doesn’t actually reside within the CamScanner code, but is part of a 3rd-party advertising library that was recently introduced in the app. As per their blog post, CamScanner was originally a legitimate app, but that changed with recent versions that shipped with an advertising library containing a malicious module. “It can be assumed that the reason why this malware was added was the app developers’ partnership with an unscrupulous advertiser”, they said.

To explain how a typical Trojan Dropper works, the researchers said: “the module extracts and runs another malicious module from an encrypted file included in the app’s resources. This ‘dropped’ malware, in turn, is a Trojan Downloader that downloads more malicious modules depending on what its creators are up to at the moment”.

Even though CamScanner developers got rid of the malicious code with the latest update, Kaspersky is recommending that existing users uninstall it from their devices, irrespective of which version they’re running. Google has also removed it from the Play Store following Kaspersky’s report.