Spyware distributed via Amazon Appstore

0
349
Spyware distributed via Amazon Appstore


Authored by Wenfeng Yu and ZePeng Chen

As smartphones have change into an integral a part of our every day lives, malicious apps have grown more and more misleading and complex. Recently, we uncovered a seemingly innocent app referred to as “BMI CalculationVsn” on the Amazon App Store, which is secretly stealing the bundle identify of put in apps and incoming SMS messages below the guise of a easy well being instrument. McAfee reported the found app to Amazon, which took immediate motion, and the app is not obtainable on Amazon Appstore.

Figure 1. Application revealed on Amazon Appstore

 

Superficial Functionality: Simple BMI Calculation

On the floor, this app seems to be a fundamental instrument, offering a single web page the place customers can enter their weight and peak to calculate their BMI. Its interface seems solely in line with a typical well being software. However, behind this harmless look lies a spread of malicious actions.

Figure 2. Application MainActivity

 

Malicious Activities: Stealing Private Data

Upon additional investigation, we found that this app engages within the following dangerous behaviors:

  1. Screen Recording: The app begins a background service to file the display screen and when the consumer clicks the “Calculate” button, the Android system will pop up request display screen recording permission message and begin display screen recording. This performance is more likely to seize gesture passwords or delicate information from different apps. In the evaluation of the newest present samples, it was discovered that the developer was not prepared for this operate. The code didn’t add the recorded mp4 file to the C2 server, and originally of the beginningRecording() technique, the developer added a code that instantly returns and doesn’t execute comply with code.

Figure 3. Screen Recorder Service Code

 

When the recording begins, the permission request dialog will probably be displayed.

Figure 4. Start Recording Request.

 

  1. Installed App Information: The app scans the machine to retrieve an inventory of all put in functions. This information could possibly be used to determine goal customers or plan extra superior assaults.

Figure 5. Upload User Data

 

  1. SMS Messages: It intercepts and collects all SMS messages obtained on the machine, probably to seize one-time password (OTP), verification codes and delicate info. The intercepted textual content messages will probably be added to Firebase (storage bucket: testmlwr-d4dd7.appspot.com).

Malware below improvement:

According to our evaluation of historic samples, this malicious app continues to be below improvement and testing stage and has not reached a accomplished state. By looking for associated samples on VirusTotal primarily based on the malware’s bundle identify (com.zeeee.recordingappz) revealed its improvement historical past. We can see that this malware was first developed in October 2024 and initially developed as a display screen recording app, however halfway via the app’s icon was modified to the BMI calculator, and the payload to steal SMS messages was added within the newest model.

Figure 6. The Timeline of Application Development

 

The tackle of the Firebase Installation API utilized by this app makes use of the character “testmlwr” which signifies that this app continues to be within the testing section.

App Developer Information:

According to the detailed details about this app product on the Amazon web page, the developer’s identify is: “PT. Visionet Data Internasional”. The malware creator tricked customers by abusing the names of an enterprise IT administration service supplier in Indonesia to distribute this malware on Amazon Appstore. This reality means that the malware creator could also be somebody with information of Indonesia.

Figure 7. Developer Information

 

How to Protect Yourself

To keep away from falling sufferer to such malicious apps, we advocate the next precautions:

  1. Install Trusted Antivirus Apps: Use dependable antivirus software program to detect and stop malicious apps earlier than they will trigger hurt.
  2. Review Permission Requests: When putting in an app, fastidiously look at the permissions it requests. Deny any permissions that appear unrelated to its marketed performance. For occasion, a BMI calculator has no authentic cause to request entry to SMS or display screen recording.
  3. Stay Alert: Watch for uncommon app conduct, equivalent to decreased machine efficiency, speedy battery drain, or a spike in information utilization, which might point out malicious exercise operating within the background.

Conclusion

As cybercrime continues to evolve, it’s essential to stay vigilant in defending our digital lives. Apps like “BMI CalculationVsn” function a stark reminder that even the only instruments can harbor hidden threats. By staying alert and adopting strong safety measures, we are able to safeguard our privateness and information.

IoC

Distribution web site:

  • hxxps://www.amazon.com/PT-Visionet-Data-Internasional-CalculationVsn/dp/B0DK1B7ZM5/

C2 servers/Storage buckets:

  • hxxps://firebaseinstallations.googleapis.com/v1/tasks/testmlwr-d4dd7
  • hxxps://6708c6e38e86a8d9e42ffe93.mockapi.io/
  • testmlwr-d4dd7.appspot.com

Sample Hash:

  • 8477891c4631358c9f3ab57b0e795e1dcf468d94a9c6b6621f8e94a5f91a3b6a

Introducing McAfee+

Identity theft safety and privateness to your digital life



LEAVE A REPLY

Please enter your comment!
Please enter your name here