Android malware found on Amazon Appstore disguised as health app

Share:

A malicious Android spyware application named ‘BMI CalculationVsn’ was discovered on the Amazon Appstore, masquerading as a simple health tool but stealing data from infected devices in the background.

The application was discovered by McAfee Labs researchers, who notified Amazon, leading to the application being removed from the store.

However, those who installed the app must manually remove it and perform a full scan to eliminate any leftover traces.

Android spyware on the Amazon store
The Amazon Appstore is a third-party app store for Android devices that comes pre-installed on Amazon Fire tablets and Fire TV devices.

It is also an alternative to Google Play for Android device owners who can’t or don’t want to use Google’s platform, even offering exclusive Amazon Prime games and content.

The BMI CalculationVsn spyware app, published by ‘PT Visionet Data Internasional,’ is promoted as a simple body mass index (BMI) calculator tool.

Spyware app
Spyware app on the Amazon Appstore
Source: McAfee
Opening the malicious app welcomes the user to a simple interface that provides the promised functionality, such as calculating their BMI. However, additional malicious actions are happening in the background.

First, the app starts a screen recording service that requests the appropriate permission when the user clicks the ‘Calculate’ button, which can be deceptive and trick people into reflex approvals.

Requesting permission to record the screen
Requesting permission to record the screen
Source: McAfee
McAfee says the recording is stored locally in an MP4 file but was not uploaded onto the command and control (C2) server, likely due to the app still being in an early testing development phase.

Code to record the device screen
Code to record the device screen
Source: McAfee
A little more digging into its release history by the researchers showed that the app first appeared in the wild on October 8. By the end of the month, it had changed its icon, added more malicious functions, and changed the certificate information.

The second malicious action performed by the app is scanning the device to retrieve all installed applications, allowing the attackers to plan their next steps.

Finally, the spyware intercepts and collects SMS messages sent and stored on the device, including one-time passwords (OTPs) and verification codes.

Stealing sensitive user data
Stealing sensitive user data
Source: McAfee
Given that dangerous apps can still slip through code review cracks in legitimate and otherwise trustworthy stores like the Amazon Appstore, it is important for Android users to only install apps from well-known publishers.

It is also recommended to scrutinize requested permissions and revoke risky ones even after installation.

Google Play Protect can detect and block known malware discovered by App Security Alliance partners, including McAfee, so keeping it active on Android devices is crucial.

Bill Toulas

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top