A seemingly benign health app, “BMI CalculationVsn,” was found to be maliciously harvesting sensitive user data from the Amazon App Store, which disguised as a simple BMI calculator secretly extracted package names of installed apps and incoming SMS messages.
Upon discovery, McAfee reported the threat to Amazon, resulting in the app’s immediate removal from the Amazon App Store.
The calculator app conceals malicious intent, and upon user input, the app surreptitiously exfiltrates sensitive personal data, including weight, height, and potentially other device information, to a remote server under the attacker’s control.
The data could be exploited for various malicious purposes, such as identity theft, targeted phishing attacks, or even blackmail, and may also install additional malware or engage in other harmful activities without the user’s knowledge or consent.
It exhibits suspicious behavior on Android devices and initiates a screen recording service that requests permission upon triggering a specific action.
While the code currently doesn’t upload recordings, it has the potential to capture sensitive user interactions, as the app scans for installed applications and collects all incoming SMS messages.
The information could be used to identify valuable targets or plan further attacks, while the intercepted messages are uploaded to a Firebase storage bucket, potentially compromising sensitive data like one-time passwords (OTPs).
This malicious app, initially disguised as a screen recorder, has undergone development since October 2024. Its recent iteration, marked by a BMI calculator icon, incorporates a stealthy SMS stealing feature.
According to McAfee, the use of the “testmlwr” Firebase Installation API confirms its current testing phase, suggesting that it hasn’t yet reached full deployment.
The Android malware, disguised as a legitimate app on the Amazon Appstore, was developed by an entity named PT. Visionet Data Internasional. However, this is a deceptive facade, as the actual developer is a malicious actor likely with ties to Indonesia.
The fraudster exploited the reputation of a legitimate Indonesian IT service provider to distribute this harmful software, indicating potential insider knowledge of the company or the Indonesian tech landscape.
To protect against malicious apps, employ a multi-layered approach by installing reputable antivirus software to proactively detect and block threats. Scrutinize app permission requests, granting only those essential for the app’s stated function.
Monitor device behavior for anomalies like performance degradation, excessive battery drain, or unexpected data usage, which may signal malicious activity. By diligently following these guidelines, users can significantly reduce their vulnerability to cyberattacks and safeguard their digital well-being.