Malicious Apps On Amazon Appstore Records Screen & Intercept OTP’s

Recently, researchers have discovered a relatively harmless app called “BMI CalculationVsn” on the Amazon App Store, masquerading as a normal health tool to steal data.

This application performs malicious actions like screen recording, retrieving a list of all installed apps, and capturing incoming SMS messages.

The app seems to be a simple application that allows users to calculate their BMI by entering their height and weight on a single screen. 

Its user interface appears to be completely consistent with that of a typical health system. However, there are a number of illicit activities going on behind this harmless appearance.

Application published on Amazon Appstore

Overview Of The Malicious Activities

McAfee says the application launches a background service to record the screen. When the user presses the “Calculate” button, the Android system will initiate screen recording and display a request for permission.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

This feature may capture sensitive information or gesture passwords from other apps. The permission request dialog will appear when the recording begins.

Start Recording Request

To get a list of all installed apps, the app scans the device. Target users might be identified using this data, or more sophisticated attacks could be planned.

Upload user data

Further, all SMS messages received on the device are intercepted and gathered, possibly with the intention of obtaining sensitive data, verification codes, and one-time passwords (OTPs). 

The intercepted text messages will be saved to Firebase (storage bucket: testmlwr-d4dd7.appspot.com).

The developer of this app, “PT. Visionet Data Internasional,” is listed on the Amazon page.To disseminate this malware on the Amazon Appstore, the malware author deceived customers by using the names of an Indonesian enterprise IT management service provider. 

The analysis of historical samples indicates that this malicious application is still in the testing and development phase and has not yet been completed.

This malware was initially created in October 2024 as a screen recording app. However, in the middle of the development process, the app’s icon was modified to the BMI calculator, and the most recent version incorporated a payload that allowed it to steal SMS messages.

The app is no longer accessible on the Amazon Appstore after McAfee reported it to Amazon, who responded immediately to remove it.

Recommendations

It is important to remain cautious and implement strong security measures to protect your privacy and data.

It is recommended to use trustworthy antivirus software to find and stop harmful apps before they have a chance to do any damage. Pay close attention to the permissions an application asks for when you install it. 

Keep an eye out for odd app behavior that could point to malicious activity operating in the background, such as decreased device performance, fast battery drain, or an increase in data usage.

IoC

Distribution website:

hxxps://www.amazon.com/PT-Visionet-Data-Internasional-CalculationVsn/dp/B0DK1B7ZM5/

C2 servers/Storage buckets:

hxxps://firebaseinstallations.googleapis.com/v1/projects/testmlwr-d4dd7
hxxps://6708c6e38e86a8d9e42ffe93.mockapi.io/
testmlwr-d4dd7.appspot.com

Sample Hash:

8477891c4631358c9f3ab57b0e795e1dcf468d94a9c6b6621f8e94a5f91a3b6a

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The post Malicious Apps On Amazon Appstore Records Screen & Intercept OTP’s appeared first on Cyber Security News.