BleepingComputer reports that malicious actors have distributed Android spyware as the BMI CalculationVsn app through the Amazon Appstore, from which it has since been removed.
Despite showing straightforward body mass index calculating capabilities upon opening, BMI CalculationVsn — which is developed by PT Visionet Data Internasional — not only covertly triggered a screen recording service upon clicking the 'Calculate' button, with the saved recordings stored in an MP4 file, but also facilitated device scanning to fetch all apps installed in the targeted devices, according to an analysis from McAfee Labs researchers. BMI CalculationVsn was also discovered to have enabled the exfiltration of one-time passwords, verification codes, and other SMS messages in compromised devices, researchers said. Immediate uninstallation of BMI CalculationVsn has been urged among its users, who were also advised to perform device scanning to ensure the complete removal of the app. Such a development should also prompt Android users to only download apps from trusted publishers.
