A malicious Android spyware application, dubbed ‘BMI CalculationVsn,’ has been discovered on the Amazon Appstore, posing as a health tool while stealthily stealing data from users. This application was identified by McAfee Labs researchers, who promptly notified Amazon, resulting in its removal from the store. However, users who previously installed the app must manually delete it and conduct a full scan to ensure complete eradication of the spyware.
Malicious spyware app discovered on Amazon Appstore
The BMI CalculationVsn application, published by ‘PT Visionet Data Internasional,’ attempts to present itself as a straightforward body mass index (BMI) calculator. Users encounter a seemingly simple interface that allows them to input their weight and height to calculate their BMI; however, additional malevolent functions are executed in the background.
Upon activation of the app, it initiates a screen recording service, requesting permission when the user clicks the ‘Calculate’ button. This tactic may deceive users into granting reflex approvals. While McAfee’s investigation revealed that the recorded video is stored locally as an MP4 file, it was not uploaded to the command and control (C2) server. This avoidance is likely due to the app still being in a developmental stage.
Further scrutiny into the app’s history indicated its initial appearance on October 8, with changes to its icon, the addition of further malicious functionalities, and updates to its certificate information by month’s end.
Functionalities and data theft measures
The Mickey CalculationVsn app engages in various harmful activities designed to compromise user security. In addition to recording the screen, it scans the device for other installed applications, which may allow attackers to strategize their next steps based on the information retrieved. This capability enables them to identify target users more effectively.
Moreover, the spyware intercepts and collects SMS messages stored on the device, potentially capturing one-time passwords (OTPs) and verification codes. The intercepted SMS data is subsequently uploaded to a Firebase storage bucket, clearly indicating a coordinated effort to extract sensitive user information.
BADBOX botnet infects over 192,000 Android devices worldwide
The app remains a work in progress, as research into its previous samples suggests that it is still in the testing phase. The code inspection revealed that the initial version launched as a screen recording app, which was later transformed in functionality when the icon was changed to that of a BMI calculator.
The developer of BMI CalculationVsn operates under the name ‘PT Visionet Data Internasional,’ which appears to misuse the reputation of a legitimate enterprise IT management service provider in Indonesia. This suggests that the creator of the malware has a technical background and may possess an understanding of software development principles.
In light of this discovery, users are advised to remain vigilant when downloading apps from the Amazon Appstore, which, being an alternative to Google Play, may host apps that bypass traditional security measures. Precautions to consider include installing trusted antivirus software, meticulously reviewing requested app permissions, and being alert to unusual device behavior that could indicate malicious activity.
Despite the removal of the app from the Appstore, the risks to users who installed it remain.
Featured image credit: Kerem Gülen/Midjourney
