Recently, a rather innocuous application named “BMI CalculationVsn” has been uncovered on the Amazon App Store, posing as a regular health tool to pilfer information.
This app engages in nefarious activities like screen recording, fetching a roster of all installed applications, and capturing incoming SMS messages.
The application presents itself as a basic tool that enables users to determine their BMI by inputting their height and weight on a single interface screen.
While its user interface gives the impression of a standard health system, there lurk several unlawful operations beneath its benign facade.
Insight Into The Malicious Activities
According to McAfee, the app deploys a background service to execute screen recording. Upon pressing the “Calculate” button, the Android system triggers screen recording and prompts for authorization.
This function may capture confidential information or gesture-based passcodes from other apps, with the authorization request popping up upon commencement of the recording.
.webp)
To compile a list of all installed apps, the app scans the device, potentially identifying target users through this data or strategizing more sophisticated assaults.
.webp)
Additionally, it intercepts and gathers all SMS messages received on the device, possibly aiming to acquire sensitive data, verification codes, and one-time passwords (OTPs).
The intercepted messages are stored on Firebase (storage bucket: testmlwr-d4dd7.appspot.com).
The app’s creator, “PT. Visionet Data Internasional,” is named on the Amazon page. To disseminate this malware on the Amazon Appstore, the developer duped customers by adopting an Indonesian enterprise IT management service provider’s identity.
An analysis of past samples suggests that this malicious app is still in its testing and development stages and is not yet fully finalized.
Originally developed in October 2024 as a screen recording app, this malware underwent a transformation during development, changing its icon to a BMI calculator and incorporating a feature to pilfer SMS messages in its latest version.
The app is no longer accessible on the Amazon Appstore after McAfee reported it to Amazon, who promptly removed it.
Suggestions
Remaining vigilant and enforcing robust security measures are crucial to safeguarding your privacy and data.
It’s advisable to use reputable antivirus software to identify and halt harmful apps before they can cause harm. Pay attention to the permissions an app requests during installation.
Watch out for any peculiar app behavior that may indicate clandestine operations, such as diminished device performance, rapid battery depletion, or increased data usage.
Indicators of Compromise
Source website:
hxxps://www.amazon.com/PT-Visionet-Data-Internasional-CalculationVsn/dp/B0DK1B7ZM5/
C2 servers/Storage buckets:
hxxps://firebaseinstallations.googleapis.com/v1/projects/testmlwr-d4dd7
hxxps://6708c6e38e86a8d9e42ffe93.mockapi.io/
testmlwr-d4dd7.appspot.com
Sample Hash:
8477891c4631358c9f3ab57b0e795e1dcf468d94a9c6b6621f8e94a5f91a3b6a
The article Malicious Apps On Amazon Appstore Records Screen & Intercept OTP’s was first published on Cyber Security News.