Authored by Wenfeng Yu and ZePeng Chen
As smartphones have turn into an integral a part of our day by day lives, malicious apps have grown more and more misleading and complex. Lately, we uncovered a seemingly innocent app known as “BMI CalculationVsn” on the Amazon App Retailer, which is secretly stealing the package deal title of put in apps and incoming SMS messages beneath the guise of a easy well being device. McAfee reported the found app to Amazon, which took immediate motion, and the app is not obtainable on Amazon Appstore.
Determine 1. Software revealed on Amazon Appstore
Superficial Performance: Easy BMI Calculation
On the floor, this app seems to be a primary device, offering a single web page the place customers can enter their weight and peak to calculate their BMI. Its interface appears totally according to a normal well being utility. Nevertheless, behind this harmless look lies a spread of malicious actions.
Determine 2. Software MainActivity
Malicious Actions: Stealing Non-public Knowledge
Upon additional investigation, we found that this app engages within the following dangerous behaviors:
- Display Recording: The app begins a background service to report the display and when the consumer clicks the “Calculate” button, the Android system will pop up request display recording permission message and begin display recording. This performance is more likely to seize gesture passwords or delicate knowledge from different apps. Within the evaluation of the newest current samples, it was discovered that the developer was not prepared for this operate. The code didn’t add the recorded mp4 file to the C2 server, and originally of the startRecording() technique, the developer added a code that immediately returns and doesn’t execute observe code.
Determine 3. Display Recorder Service Code
When the recording begins, the permission request dialog might be displayed.
Determine 4. Begin Recording Request.
- Put in App Data: The app scans the gadget to retrieve an inventory of all put in functions. This knowledge could possibly be used to establish goal customers or plan extra superior assaults.
Determine 5. Add Person Knowledge
- SMS Messages: It intercepts and collects all SMS messages obtained on the gadget, probably to seize one-time password (OTP), verification codes and delicate info. The intercepted textual content messages might be added to Firebase (storage bucket: testmlwr-d4dd7.appspot.com).
Malware beneath improvement:
In accordance with our evaluation of historic samples, this malicious app remains to be beneath improvement and testing stage and has not reached a accomplished state. By trying to find associated samples on VirusTotal based mostly on the malware’s package deal title (com.zeeee.recordingappz) revealed its improvement historical past. We are able to see that this malware was first developed in October 2024 and initially developed as a display recording app, however halfway by way of the app’s icon was modified to the BMI calculator, and the payload to steal SMS messages was added within the newest model.
Determine 6. The Timeline of Software Growth
The handle of the Firebase Set up API utilized by this app makes use of the character “testmlwr” which signifies that this app remains to be within the testing part.
App Developer Data:
In accordance with the detailed details about this app product on the Amazon web page, the developer’s title is: “PT. Visionet Knowledge Internasional”. The malware writer tricked customers by abusing the names of an enterprise IT administration service supplier in Indonesia to distribute this malware on Amazon Appstore. This reality means that the malware writer could also be somebody with data of Indonesia.
Determine 7. Developer Data
The way to Shield Your self
To keep away from falling sufferer to such malicious apps, we advocate the next precautions:
- Set up Trusted Antivirus Apps: Use dependable antivirus software program to detect and stop malicious apps earlier than they will trigger hurt.
- Overview Permission Requests: When putting in an app, rigorously look at the permissions it requests. Deny any permissions that appear unrelated to its marketed performance. For example, a BMI calculator has no professional motive to request entry to SMS or display recording.
- Keep Alert: Look ahead to uncommon app habits, equivalent to diminished gadget efficiency, fast battery drain, or a spike in knowledge utilization, which may point out malicious exercise operating within the background.
Conclusion
As cybercrime continues to evolve, it’s essential to stay vigilant in defending our digital lives. Apps like “BMI CalculationVsn” function a stark reminder that even the best instruments can harbor hidden threats. By staying alert and adopting sturdy safety measures, we are able to safeguard our privateness and knowledge.
IoC
Distribution web site:
- hxxps://www.amazon.com/PT-Visionet-Knowledge-Internasional-CalculationVsn/dp/B0DK1B7ZM5/
C2 servers/Storage buckets:
- hxxps://firebaseinstallations.googleapis.com/v1/tasks/testmlwr-d4dd7
- hxxps://6708c6e38e86a8d9e42ffe93.mockapi.io/
- testmlwr-d4dd7.appspot.com
Pattern Hash:
- 8477891c4631358c9f3ab57b0e795e1dcf468d94a9c6b6621f8e94a5f91a3b6a
