www.mcafee.com
Open in
urlscan Pro
104.81.74.34
Public Scan
URL:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spyware-distributed-through-amazon-appstore/
Submission: On December 20 via api from IN — Scanned from DE
Submission: On December 20 via api from IN — Scanned from DE
Form analysis 4 forms found in the DOM
https://www.mcafee.com/blogs
<form class="desktop-search-form-v2" action="https://www.mcafee.com/blogs">
<div><span class="search_icon_desktop"> <img src="/blogs/wp-content/themes/securingtomorrow-brillio/img/new-icons/search_icon_black.svg" alt="search grey icon"> </span></div>
<div class="desktop-search-div"><input class="dsk-search" autocomplete="off" name="s" type="text" placeholder="Search"></div>
</form>https://www.mcafee.com/blogs
<form class="desktop-search-form" style="display: none;" action="https://www.mcafee.com/blogs">
<div class="desktop-search-div"><input class="dsk-search" autocomplete="off" name="s" type="text" placeholder="Type and hit enter..."></div>
<div><span class="close_icon_desktop"> <img src="https://www.mcafee.com/blogs/wp-content/themes/securingtomorrow-brillio/img/new-icons/cross-grey-icon.svg" alt="close grey icon"> </span></div>
</form>https://www.mcafee.com/blogs
<form class="form-inline my-2 my-lg-0" action="https://www.mcafee.com/blogs">
<div class="input-group mb-3 search-div">
<div class="input-group-append"><button class="sarch-btn" type="button"><span class="fa fa-search" title="Type and hit enter..."><span style="display: none;">.</span></span> </button>
</div>
</div>
</form>https://www.mcafee.com/blogs
<form action="https://www.mcafee.com/blogs" class="desktop-search-form" style="display: none;">
<div class="desktop-search-div">
<input class="dsk-search" name="s" type="text" placeholder="Type and hit enter..." autocomplete="off">
</div>
<div><span class="close_icon_desktop">
<img src="https://www.mcafee.com/blogs/wp-content/themes/securingtomorrow-brillio/img/new-icons/cross-grey-icon.svg" alt="close grey icon">
</span>
</div>
</form>Text Content
* Products
* All-In-One Protection
* NEW
McAfee+ Individual Plans
Complete privacy, identity and device protection for individuals.
* NEW
McAfee+ Family Plans
Complete privacy, identity and device protection for up to 6 family
members.
* Other Products & Services
* Antivirus
* Scam Protection
* Virtual Private Network (VPN)
* Mobile Security
* PC Optimizer
* TechMaster Concierge
* McAfee Assist
* Free Tools & Downloads
* Web Protection
* Free Antivirus Trial
* Device Security Scan
* Password Generator
* Features
* Keep Me Private Online
* Personal Data Cleanup
* Online Account Cleanup
* VPN (Virtual Private Network)
* Social Privacy Manager
* Safeguard My Identity
* Identity Monitoring
* Credit Monitoring
* Security Freeze
* Identity Theft Coverage & Restoration
* Password Manager
* Protect My Devices
* Antivirus
* Scam Protection
* Web Protection
* Protect My Family
* Protection Score
* Parental Controls
* Family Plans
* Resources
* Stay Updated
* McAfee Blog
* Reports and Guides
* McAfee on YouTube
* Prevent Spam and Phishing
* Learn More
* Learn at McAfee
* What is Antivirus?
* What is a VPN?
* What is Identity Theft?
* Press & News
* McAfee Newsroom
* AI News & Scams
* About Us
* Our Company
* Company Overview
* Awards & Reviews
* Investors
* Our Efforts
* Inclusion & Diversity
* Integrity & Ethics
* Public Policy
* Join Us
* Careers
* Life at McAfee
* Our Teams
* Our Locations
* Why McAfee
Products
All-In-One Protection
NEW McAfee+ Individual Plans
Complete privacy, identity and device protection for individuals.
NEW McAfee+ Family Plans
Complete privacy, identity and device protection for up to 6 family members.
Other Products & Services
Antivirus
Scam Protection
Virtual Private Network (VPN)
Mobile Security
PC Optimizer
TechMaster Concierge
McAfee Assist
Free Tools & Downloads
Web Protection
Free Antivirus Trial
Device Security Scan
Password Generator
Features
Keep Me Private Online
Personal Data Cleanup
Online Account Cleanup
VPN (Virtual Private Network)
Social Privacy Manager
Safeguard My Identity
Identity Monitoring
Credit Monitoring
Security Freeze
Identity Theft Coverage & Restoration
Password Manager
Protect My Devices
Antivirus
Scam Protection
Web Protection
Protect My Family
Protection Score
Parental Controls
Family Plans
Resources
Stay Updated
McAfee Blog
Reports and Guides
McAfee on YouTube
Prevent Spam and Phishing
Learn More
Learn at McAfee
What is Antivirus?
What is a VPN?
What is Identity Theft?
Press & News
McAfee Newsroom
AI News & Scams
About Us
Our Company
Company Overview
Awards & Reviews
Investors
Our Efforts
Inclusion & Diversity
Integrity & Ethics
Public Policy
Join Us
Careers
Life at McAfee
Our Teams
Our Locations
Why McAfee
Support
Help
Customer Support
Support Community
FAQs
Contact Us
Activation
Activate Retail Card
Region
Asia Pacific
Australia - English
New Zealand - English
Singapore - English
Malaysia - English
Philippines - English
India - English
대한민국 - 한국어
日本 - 日本語
中国 - 简体中文
香港特別行政區 - 繁體中文
台灣 - 繁體中文
Europe
Česká Republika - Čeština
Danmark - Dansk
Suomi - Suomi
France - Français
Deutschland - Deutsch
Ελλάδα - Ελληνικά
Ireland - English
Magyarország - Magyar
ישראל - עברית
Italia - Italiano
Nederland - Nederlands
Norge - Bokmål
Polska - Polski
Portugal - Português
Россия - Русский
España - Español
Sverige - Svenska
Suisse - Français
Schweiz - Deutsch
Türkiye - Türkçe
العربية - العربية
United Kingdom - English
North America
United States - English
Canada - English
Canada - Français
South America
Argentina - Español
Brasil - Português
Chile - Español
Colombia - Español
México - Español
Perú - Español
Sign in
* Support
* Help
* Customer Support
* Support Community
* FAQs
* Contact Us
* Activation
* Activate Retail Card
* * Asia Pacific
* Australia-English
* New Zealand-English
* Singapore-English
* Malaysia-English
* Philippines-English
* India-English
* 대한민국-한국어
* 日本-日本語
* 中国-简体中文
* 香港特別行政區-繁體中文
* 台灣-繁體中文
* Europe
* Česká Republika-Čeština
* Danmark-Dansk
* Suomi-Suomi
* France-Français
* Deutschland-Deutsch
* Ελλάδα-Ελληνικά
* Ireland-English
* Magyarország-Magyar
* ישראל-עברית
* Italia-Italiano
* Nederland-Nederlands
*
* Norge-Bokmål
* Polska-Polski
* Portugal-Português
* Россия-Русский
* España-Español
* Sverige-Svenska
* Suisse-Français
* Schweiz-Deutsch
* Türkiye-Türkçe
* العربية-العربية
* United Kingdom-English
* North America
* United States-English
* Canada-English
* Canada-Français
* South America
* Argentina-Español
* Brasil-Português
* Chile-Español
* Colombia-Español
* México-Español
* Perú-Español
* Sign in
*
* Blog
* Topics
How To Guides and Tutorials Internet Security Mobile Security Family Safety
Privacy & Identity Protection Security News
* At McAfee
McAfee News Executive Perspectives McAfee Labs Life at McAfee Hackable?
Podcast
* English
* Portuguese (BR)
* Spanish
* French(FR)
* German
* Italian
* Japanese
* French(CA)
* Portuguese (PT)
* Spanish (MX)
* Dutch
*
* Blog
* Topics
How To Guides and Tutorials Internet Security Mobile Security Family Safety
Privacy & Identity Protection Security News
* At McAfee
McAfee News Executive Perspectives McAfee Labs Life at McAfee Hackable?
Podcast
* .
* Portuguese (BR) Spanish French(FR) German Italian Japanese French(CA)
Portuguese (PT) Spanish (MX) Dutch
Blog Other Blogs McAfee Labs Spyware distributed through Amazon Appstore
SPYWARE DISTRIBUTED THROUGH AMAZON APPSTORE
McAfee Labs
Dec 18, 2024
5 MIN READ
Authored by Wenfeng Yu and ZePeng Chen
As smartphones have become an integral part of our daily lives, malicious apps
have grown increasingly deceptive and sophisticated. Recently, we uncovered a
seemingly harmless app called “BMI CalculationVsn” on the Amazon App Store,
which is secretly stealing the package name of installed apps and incoming SMS
messages under the guise of a simple health tool. McAfee reported the discovered
app to Amazon, which took prompt action, and the app is no longer available on
Amazon Appstore.
Figure 1. Application published on Amazon Appstore
SUPERFICIAL FUNCTIONALITY: SIMPLE BMI CALCULATION
On the surface, this app appears to be a basic tool, providing a single page
where users can input their weight and height to calculate their BMI. Its
interface looks entirely consistent with a standard health application. However,
behind this innocent appearance lies a range of malicious activities.
Figure 2. Application MainActivity
MALICIOUS ACTIVITIES: STEALING PRIVATE DATA
Upon further investigation, we discovered that this app engages in the following
harmful behaviors:
1. Screen Recording: The app starts a background service to record the screen
and when the user clicks the “Calculate” button, the Android system will pop
up request screen recording permission message and start screen recording.
This functionality is likely to capture gesture passwords or sensitive data
from other apps. In the analysis of the latest existing samples, it was
found that the developer was not ready for this function. The code did not
upload the recorded mp4 file to the C2 server, and at the beginning of the
startRecording() method, the developer added a code that directly returns
and does not execute follow code.
Figure 3. Screen Recorder Service Code
When the recording starts, the permission request dialog will be displayed.
Figure 4. Start Recording Request.
2. Installed App Information: The app scans the device to retrieve a list of
all installed applications. This data could be used to identify target users
or plan more advanced attacks.
Figure 5. Upload User Data
3. SMS Messages: It intercepts and collects all SMS messages received on the
device, potentially to capture one-time password (OTP), verification codes
and sensitive information. The intercepted text messages will be added to
Firebase (storage bucket: testmlwr-d4dd7.appspot.com).
MALWARE UNDER DEVELOPMENT:
According to our analysis of historical samples, this malicious app is still
under development and testing stage and has not reached a completed state. By
searching for related samples on VirusTotal based on the malware’s package name
(com.zeeee.recordingappz) revealed its development history. We can see that this
malware was first developed in October 2024 and originally developed as a screen
recording app, but midway through the app’s icon was changed to the BMI
calculator, and the payload to steal SMS messages was added in the latest
version.
Figure 6. The Timeline of Application Development
The address of the Firebase Installation API used by this app uses the character
“testmlwr” which indicates that this app is still in the testing phase.
APP DEVELOPER INFORMATION:
According to the detailed information about this app product on the Amazon page,
the developer’s name is: “PT. Visionet Data Internasional”. The malware author
tricked users by abusing the names of an enterprise IT management service
provider in Indonesia to distribute this malware on Amazon Appstore. This fact
suggests that the malware author may be someone with knowledge of Indonesia.
Figure 7. Developer Information
HOW TO PROTECT YOURSELF
To avoid falling victim to such malicious apps, we recommend the following
precautions:
1. Install Trusted Antivirus Apps: Use reliable antivirus software to detect
and prevent malicious apps before they can cause harm.
2. Review Permission Requests: When installing an app, carefully examine the
permissions it requests. Deny any permissions that seem unrelated to its
advertised functionality. For instance, a BMI calculator has no legitimate
reason to request access to SMS or screen recording.
3. Stay Alert: Watch for unusual app behavior, such as reduced device
performance, rapid battery drain, or a spike in data usage, which could
indicate malicious activity running in the background.
CONCLUSION
As cybercrime continues to evolve, it is crucial to remain vigilant in
protecting our digital lives. Apps like “BMI CalculationVsn” serve as a stark
reminder that even the simplest tools can harbor hidden threats. By staying
alert and adopting robust security measures, we can safeguard our privacy and
data.
IOC
Distribution website:
* hxxps://www.amazon.com/PT-Visionet-Data-Internasional-CalculationVsn/dp/B0DK1B7ZM5/
C2 servers/Storage buckets:
* hxxps://firebaseinstallations.googleapis.com/v1/projects/testmlwr-d4dd7
* hxxps://6708c6e38e86a8d9e42ffe93.mockapi.io/
* testmlwr-d4dd7.appspot.com
Sample Hash:
* 8477891c4631358c9f3ab57b0e795e1dcf468d94a9c6b6621f8e94a5f91a3b6a
INTRODUCING MCAFEE+
Identity theft protection and privacy for your digital life
Download McAfee+ Now
Stay Updated
Follow us to stay updated on all things McAfee and on top of the latest consumer
and mobile security threats.
McAfee Labs Threat Research Team
McAfee Labs is one of the leading sources for threat research, threat
intelligence, and cybersecurity thought leadership. See our blog posts below for
more information.
MORE FROM MCAFEE LABS
Previous
THE SCAM STRIKES BACK: EXPLOITING THE CROWDSTRIKE OUTAGE
Authored by Lakshya Mathur, Vallabh Chole & Abhishek Karnik Recently we
witnessed one of the most significant...
Jul 30, 2024 | 5 MIN READ
OLYMPICS HAS FALLEN – A MISINFORMATION CAMPAIGN FEATURING A VOICE CLONED ELON
MUSK
Authored by Lakshya Mathur and Abhishek Karnik As the world gears up for the
2024 Paris Olympics,...
Jul 26, 2024 | 6 MIN READ
CLICKFIX DECEPTION: A SOCIAL ENGINEERING TACTIC TO DEPLOY MALWARE
Authored by Yashvi Shah and Vignesh Dhatchanamoorthy McAfee Labs has discovered
a highly unusual method of malware...
Jul 11, 2024 | 9 MIN READ
QUALITY OVER QUANTITY: THE COUNTER-INTUITIVE GENAI KEY
It’s been almost two years since OpenAI launched ChatGPT, driving increased
mainstream awareness of and access to...
Jun 28, 2024 | 3 MIN READ
A NEW ANDROID BANKING TROJAN MASQUERADES AS UTILITY AND BANKING APPS IN INDIA
Authored by Dexter Shin Over the years, cyber threats targeting Android devices
have become more sophisticated and...
Dec 12, 2024 | 7 MIN READ
THE STEALTHY STALKER: REMCOS RAT
Authored By Sakshi Jaiswal, Anuradha M In Q3 2024, McAfee Labs identified a
sharp rise in the...
Dec 11, 2024 | 12 MIN READ
SPYLOAN: A GLOBAL THREAT EXPLOITING SOCIAL ENGINEERING
Authored by: Fernando Ruiz The McAfee mobile research team recently identified a
significant global increase of SpyLoan,...
Nov 25, 2024 | 16 MIN READ
LUMMA STEALER ON THE RISE: HOW TELEGRAM CHANNELS ARE FUELING MALWARE
PROLIFERATION
Authored by: M. Authored by: M, Mohanasundaram and Neil Tyagi In today’s rapidly
evolving cyber landscape, malware...
Nov 20, 2024 | 18 MIN READ
THE DARK SIDE OF GEN AI
There’s no denying that Generative Artificial Intelligence (GenAI) has been one
of the most significant technological developments...
Nov 18, 2024 | 5 MIN READ
BEHIND THE CAPTCHA: A CLEVER GATEWAY OF MALWARE
Authored by Yashvi Shah and Aayush Tyagi Executive summary McAfee Labs recently
observed an infection chain where...
Sep 20, 2024 | 8 MIN READ
CRACKED SOFTWARE OR CYBER TRAP? THE RISING DANGER OF ASYNCRAT MALWARE
Authored by Neil Tyagi In cybersecurity, threats constantly evolve, and new ways
to exploit unsuspecting users are...
Sep 19, 2024 | 14 MIN READ
NEW ANDROID SPYAGENT CAMPAIGN STEALS CRYPTO CREDENTIALS VIA IMAGE RECOGNITION
Authored by SangRyol Ryu Recently, McAfee’s Mobile Research Team uncovered a new
type of mobile malware that...
Sep 05, 2024 | 10 MIN READ
THE SCAM STRIKES BACK: EXPLOITING THE CROWDSTRIKE OUTAGE
Authored by Lakshya Mathur, Vallabh Chole & Abhishek Karnik Recently we
witnessed one of the most significant...
Jul 30, 2024 | 5 MIN READ
OLYMPICS HAS FALLEN – A MISINFORMATION CAMPAIGN FEATURING A VOICE CLONED ELON
MUSK
Authored by Lakshya Mathur and Abhishek Karnik As the world gears up for the
2024 Paris Olympics,...
Jul 26, 2024 | 6 MIN READ
CLICKFIX DECEPTION: A SOCIAL ENGINEERING TACTIC TO DEPLOY MALWARE
Authored by Yashvi Shah and Vignesh Dhatchanamoorthy McAfee Labs has discovered
a highly unusual method of malware...
Jul 11, 2024 | 9 MIN READ
QUALITY OVER QUANTITY: THE COUNTER-INTUITIVE GENAI KEY
It’s been almost two years since OpenAI launched ChatGPT, driving increased
mainstream awareness of and access to...
Jun 28, 2024 | 3 MIN READ
A NEW ANDROID BANKING TROJAN MASQUERADES AS UTILITY AND BANKING APPS IN INDIA
Authored by Dexter Shin Over the years, cyber threats targeting Android devices
have become more sophisticated and...
Dec 12, 2024 | 7 MIN READ
THE STEALTHY STALKER: REMCOS RAT
Authored By Sakshi Jaiswal, Anuradha M In Q3 2024, McAfee Labs identified a
sharp rise in the...
Dec 11, 2024 | 12 MIN READ
SPYLOAN: A GLOBAL THREAT EXPLOITING SOCIAL ENGINEERING
Authored by: Fernando Ruiz The McAfee mobile research team recently identified a
significant global increase of SpyLoan,...
Nov 25, 2024 | 16 MIN READ
LUMMA STEALER ON THE RISE: HOW TELEGRAM CHANNELS ARE FUELING MALWARE
PROLIFERATION
Authored by: M. Authored by: M, Mohanasundaram and Neil Tyagi In today’s rapidly
evolving cyber landscape, malware...
Nov 20, 2024 | 18 MIN READ
THE DARK SIDE OF GEN AI
There’s no denying that Generative Artificial Intelligence (GenAI) has been one
of the most significant technological developments...
Nov 18, 2024 | 5 MIN READ
BEHIND THE CAPTCHA: A CLEVER GATEWAY OF MALWARE
Authored by Yashvi Shah and Aayush Tyagi Executive summary McAfee Labs recently
observed an infection chain where...
Sep 20, 2024 | 8 MIN READ
CRACKED SOFTWARE OR CYBER TRAP? THE RISING DANGER OF ASYNCRAT MALWARE
Authored by Neil Tyagi In cybersecurity, threats constantly evolve, and new ways
to exploit unsuspecting users are...
Sep 19, 2024 | 14 MIN READ
NEW ANDROID SPYAGENT CAMPAIGN STEALS CRYPTO CREDENTIALS VIA IMAGE RECOGNITION
Authored by SangRyol Ryu Recently, McAfee’s Mobile Research Team uncovered a new
type of mobile malware that...
Sep 05, 2024 | 10 MIN READ
THE SCAM STRIKES BACK: EXPLOITING THE CROWDSTRIKE OUTAGE
Authored by Lakshya Mathur, Vallabh Chole & Abhishek Karnik Recently we
witnessed one of the most significant...
Jul 30, 2024 | 5 MIN READ
OLYMPICS HAS FALLEN – A MISINFORMATION CAMPAIGN FEATURING A VOICE CLONED ELON
MUSK
Authored by Lakshya Mathur and Abhishek Karnik As the world gears up for the
2024 Paris Olympics,...
Jul 26, 2024 | 6 MIN READ
CLICKFIX DECEPTION: A SOCIAL ENGINEERING TACTIC TO DEPLOY MALWARE
Authored by Yashvi Shah and Vignesh Dhatchanamoorthy McAfee Labs has discovered
a highly unusual method of malware...
Jul 11, 2024 | 9 MIN READ
QUALITY OVER QUANTITY: THE COUNTER-INTUITIVE GENAI KEY
It’s been almost two years since OpenAI launched ChatGPT, driving increased
mainstream awareness of and access to...
Jun 28, 2024 | 3 MIN READ
Next
* 1
* 2
* 3
Back to top
*
*
*
*
*
--------------------------------------------------------------------------------
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA
Products
McAfee+™ Individual
McAfee+™ Family
McAfee® Total Protection
McAfee® Antivirus
McAfee® Safe Connect
McAfee® PC Optimizer
McAfee® TechMaster
McAfee® Mobile Security
Resources
Antivirus
Free Downloads
Parental Controls
Malware
Firewall
Blogs
Activate Retail Card
McAfee Labs
Support
Customer Service
FAQs
Renewals
Support
Community
About
About McAfee
Careers
Contact Us
Newsroom
Investors
Legal Terms
Your Privacy Choices
System Requirements
Sitemap
--------------------------------------------------------------------------------
United States / English Copyright © 2024 McAfee, LLC
Copyright © 2024 McAfee, LLC
United States / English
✓
Danke für das Teilen!
AddToAny
Mehr…
Feedback