Full Report
An app that marketed itself as a BMI calculator was actually an infostealer with the ability to record screen activity, steal text messages and survey the list of the other apps on the device, according to researchers at McAfee.
Analysis Summary
# Incident Report: Malicious BMI Calculator Infostealer on Amazon Appstore
## Executive Summary
Researchers at McAfee discovered a malicious Android application named "BMI CalculationVsn" listed on the Amazon Appstore, disguised as a legitimate body mass index calculator. This app functioned as an information-stealing malware capable of recording screens, stealing text messages, and inventorying installed applications. McAfee reported the finding to Amazon, leading to the app's swift removal from the store.
## Incident Details
- Discovery Date: Between October and December 2024 (Initial unveiling in October, discovery by McAfee in December)
- Incident Date: Ongoing malware distribution prior to discovery/reporting in December 2024
- Affected Organization: Consumers using Android devices who downloaded the application.
- Sector: Consumer Software/Mobile Applications
- Geography: Global distribution via Amazon Appstore; developer activity suggests knowledge of Indonesia.
## Timeline of Events
### Initial Access
- Date/Time: First unveiled in October 2024 (as a screen recording app). The malicious BMI functionality was added later, leading up to December 2024 discovery.
- Vector: Malicious application uploaded to the Amazon Appstore.
- Details: The app masqueraded as a "BMI CalculationVsn" tool. The malware author reportedly abused the names of an enterprise IT management service provider in Indonesia to distribute the malware.
### Lateral Movement
- Details: Not explicitly detailed, but the malware collected data (screen activity, SMS, app list), suggesting local device compromise rather than widespread network lateral movement.
### Data Exfiltration/Impact
- Details: The malware was an infostealer designed to record screen activity, steal text messages, and survey the list of other applications installed on the device.
### Detection & Response
- Detection: Discovered by researchers at McAfee. Evidence noted on VirusTotal indicated the app was still under development.
- Response Actions: McAfee reported the application to Amazon. Amazon took prompt action, removing the app from the Amazon Appstore.
## Attack Methodology
- Initial Access: Social engineering via a seemingly benign app listing (BMI Calculator) distributed through the Amazon Appstore.
- Persistence: Implied persistence on the device once installed (as it was actively stealing data).
- Privilege Escalation: Not explicitly detailed, but necessary to gain access to SMS and screen recording capabilities on the Android device.
- Defense Evasion: Successfully disguised itself as a legitimate utility app; initial variants were deployed under different pretenses (screen recording app).
- Credential Access: Not explicitly mentioned, but text message theft often leads to credential exposure (e.g., 2FA codes).
- Discovery: Screen recording functionality suggests active system monitoring/reconnaissance.
- Lateral Movement: Not explicitly detailed regarding network movement.
- Collection: Recording screen activity, stealing text messages, and compiling a list of installed applications.
- Exfiltration: Data exfiltration mechanisms were implied as part of its function as an infostealer, though specific communication channels were not detailed.
- Impact: Unauthorized access to sensitive user data including communications and device usage patterns.
## Impact Assessment
- Financial: Unknown number of users potentially compromised; potential financial loss indirect (theft via compromised data).
- Data Breach: Sensitive data including text messages, device screen recordings, and a manifest of installed applications.
- Operational: None reported for the victim organization(s) distributing the app (Amazon was the host, not the target).
- Reputational: Minor negative impact for the platform (Amazon Appstore) due to hosting malicious content, mitigated by prompt removal.
## Indicators of Compromise
- Network Indicators: None provided (URLs/IPs defanged).
- File Indicators: Application name noted as "BMI CalculationVsn."
- Behavioral Indicators: Screen recording, SMS interception, device application inventory scanning.
## Response Actions
- Containment Measures: McAfee reported the app to Amazon.
- Eradication Steps: Amazon removed the application from the Amazon Appstore.
- Recovery Actions: Affected users would need to manually uninstall the application and review data security.
## Lessons Learned
- Legitimate gateways (like mainstream app stores) are persistent targets for threat actors who modify applications to include malware payloads.
- Threat actors continuously evolve their tactics, as this app shifted its functionality from a simple screen recorder to a more comprehensive infostealer (SMS/app list theft).
- The use of localized social engineering techniques (abusing an Indonesian IT service provider's name) shows targeted distribution methods.
## Recommendations
- Users should exercise extreme caution when downloading niche utility apps, even from known official storefronts like the Amazon Appstore.
- App store vetting processes must continuously adapt to detect subtle functionality shifts in applications over time (e.g., version updates that introduce new malicious capabilities).
- Device users should regularly audit installed applications and ensure strong privacy settings are maintained, particularly for permissions like SMS access and screen recording.