Malicious App Found on Amazon Appstore Masquerades as Health Tool

McAfee Labs uncovered a malicious app on the Amazon Appstore that disguised itself as a simple health tool while secretly stealing sensitive user data. The app, named “BMI CalculationVsn”, pretended to offer basic body mass index (BMI) calculations but engaged in covert activities like SMS interception and device monitoring.

At first glance, BMI CalculationVsn appeared to be a harmless app. As McAfee noted, “On the surface, this app appears to be a basic tool, providing a single page where users can input their weight and height to calculate their BMI.” However, hidden beneath this simple interface were sinister capabilities designed to compromise user privacy.

Application published on Amazon Appstore | Source: McAfee

Upon closer inspection, McAfee researchers identified several alarming activities:

1. Screen Recording: The app initiated a background service to record the screen whenever users clicked the “Calculate” button. While this functionality was incomplete and didn’t upload recordings to a command-and-control (C2) server, its presence indicates the developer’s intent to capture sensitive user inputs like gesture passwords.
2. App Scanning: The spyware scanned devices for installed applications, likely to identify potential targets for further attacks.
3. SMS Interception: Most concerning was its ability to intercept incoming SMS messages, including one-time passwords (OTP) and verification codes, which were stored on Firebase under the storage bucket testmlwr-d4dd7.appspot.com.

The app appeared to be a work in progress, with its evolution traced back to October 2024. Initially a simple screen recording app, it later adopted the BMI calculator interface, and SMS stealing capabilities were added in the latest version. The timeline, as detailed by McAfee, revealed that the app was still under active development, with the Firebase API address using the term “testmlwr,” indicating a testing phase.

Interestingly, the app listed its developer as “PT. Visionet Data Internasional”, the name of a legitimate enterprise IT management provider in Indonesia. McAfee suggests this was a deliberate move to gain user trust, noting, “The malware author tricked users by abusing the names of an enterprise IT management service provider in Indonesia.”

After McAfee reported the app, Amazon quickly removed it from the Appstore. The discovery of BMI CalculationVsn is a sobering reminder of how even seemingly innocuous apps can harbor significant risks. As McAfee puts it, “Apps like ‘BMI CalculationVsn’ serve as a stark reminder that even the simplest tools can harbor hidden threats.”

Related Posts:

• Beware of Word: Remcos RAT Lurks in Malicious Documents
• Facebook have been collecting call logs and SMS metadata for several years
• New Android Banking Trojan Targets Indian Users Through Fake Apps