Android malware

A malicious Android spyware application named 'BMI CalculationVsn' was discovered on the Amazon Appstore, masquerading as a simple health tool but stealing data from infected devices in the background.

The application was discovered by McAfee Labs researchers, who notified Amazon, leading to the application being removed from the store.

However, those who installed the app must manually remove it and perform a full scan to eliminate any leftover traces.

Android spyware on the Amazon store

The Amazon Appstore is a third-party app store for Android devices that comes pre-installed on Amazon Fire tablets and Fire TV devices.

It is also an alternative to Google Play for Android device owners who can't or don't want to use Google's platform, even offering exclusive Amazon Prime games and content.

The BMI CalculationVsn spyware app, published by 'PT Visionet Data Internasional,' is promoted as a simple body mass index (BMI) calculator tool.

Spyware app
Spyware app on the Amazon Appstore
Source: McAfee

Opening the malicious app welcomes the user to a simple interface that provides the promised functionality, such as calculating their BMI. However, additional malicious actions are happening in the background.

First, the app starts a screen recording service that requests the appropriate permission when the user clicks the 'Calculate' button, which can be deceptive and trick people into reflex approvals.

Requesting permission to record the screen
Requesting permission to record the screen
Source: McAfee

McAfee says the recording is stored locally in an MP4 file but was not uploaded onto the command and control (C2) server, likely due to the app still being in an early testing development phase.

Code to record the device screen
Code to record the device screen
Source: McAfee

A little more digging into its release history by the researchers showed that the app first appeared in the wild on October 8. By the end of the month, it had changed its icon, added more malicious functions, and changed the certificate information.

The second malicious action performed by the app is scanning the device to retrieve all installed applications, allowing the attackers to plan their next steps.

Finally, the spyware intercepts and collects SMS messages sent and stored on the device, including one-time passwords (OTPs) and verification codes.

Stealing sensitive user data
Stealing sensitive user data
Source: McAfee

Given that dangerous apps can still slip through code review cracks in legitimate and otherwise trustworthy stores like the Amazon Appstore, it is important for Android users to only install apps from well-known publishers.

It is also recommended to scrutinize requested permissions and revoke risky ones even after installation.

Google Play Protect can detect and block known malware discovered by App Security Alliance partners, including McAfee, so keeping it active on Android devices is crucial.

Related Articles:

New Android NoviSpy spyware linked to Qualcomm zero-day bugs

New Android spyware found on phone seized by Russian FSB

BadBox malware botnet infects 192,000 Android devices despite disruption

Russian cyberspies target Android users with new spyware

New EagleMsgSpy Android spyware used by Chinese police, researchers say