How much damage can a BMI calculator app do to your phone? As it turns out, it’s not what the app can do but what it harbors in its code that you have to look out for. Such is the case of an app uploaded to the Amazon Appstore that had some really devastating code under the hood…that is, it would have been if the developer coded it properly.
McAfee Spots Malfunctioning Spyware in a BMI App on the Amazon Appstore
As spotted by McAfee, this malicious app poses as a simple BMI calculator. Sure enough, when you download it, it does exactly that; you can enter your height and weight, and it will let you know if your BMI is within a good range.
However, something weird happens when you click “Calculate.” Suddenly, the app asks you to allow it to record your screen. Given where the permission request was placed, it seems the cybercriminal wanted to capitalize on people being impatient and accepting any popup that appears to get their BMI result.
If the user accepts this request, the app begins recording the target’s screen. This is presumably to steal any private details the user enters into apps. The malicious app can also record SMS messages (presumably to steal 2FA codes) and grab a list of the target’s apps.
Or, at least, it should have done that. As it turns out, when McAfee dissected the code, the app had all the means to gather and harvest data, but it failed to actually send it anywhere. It’s uncertain if the cybercriminal wanted to keep a low profile and wait for more downloads before activating it, or they just plain forgot. Either way, the app was taken down before it could do any damage.
While we got lucky this time, not all malicious apps will fall at the final hurdle like this one. Always take care when downloading apps, even if they are seemingly simple in nature and offered on an official app store. If an app asks for Android permissions that it doesn’t rightfully need (like screen recording permissions for a BMI app), deny it; who knows what kind of things the app can harvest if you allow it?