A troubling discovery has emerged from the Amazon Appstore, where a malicious Android spyware application, cleverly disguised as a health tool named ‘BMI CalculationVsn,’ was found to be siphoning data from infected devices without the users’ knowledge. This insidious app, masquerading as a simple body mass index calculator, was identified by researchers at McAfee Labs, who promptly alerted Amazon, resulting in its removal from the platform.
Despite its removal, users who had previously installed the app face the responsibility of manually uninstalling it and conducting a comprehensive scan to ensure that any remnants of the spyware are eradicated from their devices.
Android spyware on the Amazon store
The Amazon Appstore serves as a third-party application marketplace for Android devices, pre-installed on Amazon Fire tablets and Fire TV devices. It offers an alternative for users who prefer not to engage with Google Play, providing access to exclusive Amazon Prime games and content.
The BMI CalculationVsn spyware, published by ‘PT Visionet Data Internasional,’ initially presents itself with a user-friendly interface that fulfills its advertised purpose of calculating BMI. However, beneath this benign facade lies a series of malicious activities operating silently in the background.
Upon launching the app, users are greeted with a straightforward interface. However, once the ‘Calculate’ button is pressed, the app activates a screen recording service, deceptively requesting the necessary permissions. This tactic could easily mislead users into granting access without fully understanding the implications.
According to McAfee, the recorded footage is saved locally in an MP4 format but has not been uploaded to any command and control (C2) server, likely indicating that the app was still undergoing testing at the time of discovery.
Further investigation into the app’s release history revealed that it first appeared on October 8. By the end of the month, it had undergone several modifications, including changes to its icon, the addition of more malicious functions, and alterations to its certificate information.
The app’s second nefarious function involves scanning the device to identify all installed applications, which aids attackers in strategizing their next moves. Additionally, the spyware intercepts and collects SMS messages stored on the device, including sensitive information such as one-time passwords (OTPs) and verification codes.
This incident underscores the potential vulnerabilities that can exist even within reputable app stores like the Amazon Appstore. It serves as a reminder for Android users to exercise caution when downloading applications, favoring those from well-known publishers. Users are also advised to carefully review the permissions requested by apps and to revoke any that appear excessive or unnecessary, even post-installation.
To bolster security, keeping Google Play Protect activated on Android devices is essential, as it can detect and block known malware identified by partners within the App Security Alliance, including McAfee.
