A BMI App That Can Steal Your Data

December 19, 2024 | Cybersecurity
By Ashwani Mishra, Editor-Technology, 63SATS

What appears to be a simple health tool can sometimes harbour malicious intent.

This was the case with an app named BMI CalculationVsn, recently uncovered by McAfee Labs on the Amazon Appstore.

At first glance, the app seemed harmless—a basic tool where users could input their weight and height to calculate their Body Mass Index (BMI). Its interface was simple and consistent with standard health applications. However, beneath this innocent façade, the app was a sophisticated malware targeting Android users.

As smartphones have become indispensable in daily life, malicious apps have evolved in complexity, using clever disguises to evade detection. The BMI CalculationVsn app exploited its appearance as a harmless health tool to infiltrate users’ devices, steal sensitive data, and conduct covert operations.

Unmasking Malicious Activities

Upon deeper investigation, Wenfeng Yu and ZePeng Chen write in a blog that the team discovered a range of harmful activities embedded within the app. These included:

Screen Recording

The app launched a background service to record the user’s screen. When the user clicked the “Calculate” button, the Android system displayed a screen recording permission request. If granted, the app began capturing sensitive on-screen activities, such as gesture passwords or confidential data from other apps.

Installed App Information

The malware scanned devices to retrieve a list of installed applications. This information could potentially be used to profile target users or plan advanced attacks based on app usage.

SMS Interception

Perhaps most concerning was the app’s ability to intercept and collect all incoming SMS messages. This functionality allowed it to capture one-time passwords (OTPs), verification codes, and other sensitive text-based communications. The intercepted messages were then uploaded to Firebase, a popular cloud-hosting service.

These behaviors highlighted the growing sophistication of malicious software targeting Android devices.

A Malware Still in Development

McAfee’s analysis revealed that the BMI CalculationVsn app was still in its development phase. Historical samples traced through VirusTotal, a malware repository, showed the app’s evolution. Initially launched in October 2024 as a basic screen recording tool, the app’s developers later transformed it into a BMI calculator. The payload for stealing SMS messages was added in the most recent version, suggesting the malware was being refined for more advanced exploits.

The Developer’s Identity: A Case of Deception

A closer look at the app’s developer information revealed a suspicious detail. The developer was listed as PT. Visionet Data Internasional, a name associated with a legitimate enterprise IT management service provider in Indonesia. By using this name, the malware authors likely aimed to gain user trust and avoid detection. This tactic, combined with the app’s seemingly harmless functionality, enabled the malware to infiltrate devices under the radar.

While the actual identity of the developer remains unclear, evidence suggests that the creators of the malware had knowledge of Indonesian IT systems and practices.

Swift Action and Lessons Learned

Upon discovery, McAfee Labs promptly reported the app to Amazon, which acted quickly to remove it from the Appstore.

The BMI CalculationVsn app is a clear example of how cybercriminals exploit trust and disguise malicious intent under the guise of useful tools. As mobile malware becomes more deceptive, users must stay informed and cautious. The collaboration between cybersecurity researchers, app platforms, and users is essential in combating these evolving threats and ensuring a safer digital environment.