Warning to Amazon Fire Stick users over fears app could be ‘spying on them’
Amazon Fire Stick users have been urged by cybersecurity experts to delete an app that’s secretly spying on them.
The app, which Amazon has since removed, was available on the Amazon Appstore for Android devices like Amazon Fire tablets and Fire TV sticks.
But it likely remains installed on countless devices, with computer security software company McAfee calling on people to uninstall it.
‘BMI Calculation Vsn’, published by ‘PT Visionet Data Internasional,’ was promoted as a body mass index calculator tool.
Opening the app brings people to a simple page where they can punch in their weight and height to figure out their BMI.
But the so-called health application asks people if the app can record their screen the second users click the ‘calculate’ button.
A pop-up message says: ‘BMI Calculation will have access to all your information that is visible on your screen or played from your device while recording or casting.
‘This includes information such as passwords, payment details, photos, messages and audio that you play.’
McAfee, which discovered the malicious tool, said: ‘This functionality is likely to capture gesture passwords or sensitive data from other apps.’
Many users reflexively click these buttons without even reading the text in the dialogue box so they can use the app.
Once the user gives permission to the app, the malware gets to work snooping on what apps are installed so the scammer knows their victim.
‘It intercepts and collects all SMS messages received on the device, potentially to capture one-time password (OTP), verification codes and sensitive information,’ McAfee adds.
The app stores the recording of your activity in an MP4 file but does not upload the clip to the command and control (C2) server.
A C2 service is the control room for scammers. From the platform, they can send commands to the malware that crept into your device.
As this recording doesn’t make it to the cyber-crook’s server, McAfee suggested the app was still in early development when it landed on the Amazon App Store.
How to avoid falling victim to dodgy apps
As McAfee advises:
- Install Trusted Antivirus Apps: Use reliable antivirus software to detect and prevent malicious apps before they can cause harm.
- Review Permission Requests: When installing an app, carefully examine the permissions it requests. Deny any permissions that seem unrelated to its advertised functionality. For instance, a BMI calculator has no legitimate reason to request access to SMS or screen recording.
- Stay Alert: Watch for unusual app behavior, such as reduced device performance, rapid battery drain, or a spike in data usage, which could indicate malicious activity running in the background.
The scammer likely called the developer ‘PT. Visionet Data Internasional’ to trick people into thinking it was the actual company of the same name, a respectable IT management service in Indonesia, experts believe.
McAfee rummaged through the app’s development history on VirusTotal, a kind of search engine for malware, and found it was initially made to be a screen recording app in October before being rebranded as a BMI tool.
Experts have long stressed that people should only download applications from well-known publishers. As robust as the app store’s screening processes are, some creepy codes can slip through the cracks.
So-called ‘dodgy’ Fire TV Sticks, for example, see vendors tinker with media streaming devices so users can pirate screaming services.
But some of these jailbroken sticks store user data on them for scammers to sell for profit, or come pre-installed with apps that sneakily allow people to tap into your home network and take control of webcams.
‘Apps like “BMI CalculationVsn” serve as a stark reminder that even the simplest tools can harbour hidden threats,’ McAfee adds.
‘By staying alert and adopting robust security measures, we can safeguard our privacy and data.’
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.