Same here. Generally when looking for good quality Android apps, F-Droid should come first. I think about 95% of the apps I use on my phone are covered with F-Droid. Only banking apps and public transit apps are from the Play Store.
This is the best heuristic to apply not just for QR code scanning, but for pretty much everything. To avoid malware, avoid the Play Store.
When using f-droid, also check out the project web site and git repo (at least in a cursory way, even if you can't fully audit the code, you can get a sense of who the developer is and the project's overall health from the commit log and issue tracker).
It's not truly safer. It's just smaller, and only has open-source apps. So it's harder to hide malware, but still certainly possible (nobody checks most apps).
The issue is the "finely curated" statement. It's not a full code review, just "Wherever possible, applications in the repository are built from source, and that source code is checked for potential security or privacy issues. This checking is far from exhaustive though, and there are no guarantees."[1] After an app is added to F-Droid it gets built from source by the F-Droid build servers, but it does not generally get re-reviewed. It's perfectly possible to add the malware after the initial release. It's also possible (even easy) for malware to be missed by the limited code review. F-Droid is a little safer, but that doesn't mean it's particularly safe. It's no harder to get malware on F-droid than it is to get it into Arch or Debian or any other distro repository.
I believe these bad reviews might be a result of the malware app pushing bad reviews to the zxing app page on google play, using an in app 'rate this app?' -> low rating -> send to the zxing app in Google Play (instead of the malware app in google play).
As noted above, I believe this to be the case. I had the other app and started receiving full page ads for it. Totally different developer, but same app name. I am no longer able to find that app in the play store.
I've installed from Google Play, and never seen any ads. It has contacts permission, but that's because sharing contacts with a QR code is something I use it for frequently (it can generate codes as well as scan them).
I feel like this is a good example of how difficult it is to find a good barcode scanner. It mentions permissions for contacts and full network access. I would have thought that those two permissions should not be necessary for a barcode scanner and point toward something dodgy going on.
It's actually not that difficult. F-Droid has a few offline scanners. It depends of course on how much of your experience you want automated. Though it would be nice if Android let you control the more granular permissions like network access.
Error correction is inherent in processing the QR code itself. That is, QR codes are generated with varying levels of redundancy, and any reader must be able to interpret the Reed-Solomon code.