Warning to Amazon Fire Stick users over fears app could be ‘spying on them’

(Picture: Thomas Trutschel/Photothek via Getty Images)

Amazon Fire Stick users have been urged by cybersecurity experts to delete an app that’s secretly spying on them.

The app, which Amazon has since removed, was available on the Amazon Appstore for Android devices like Amazon Fire tablets and Fire TV sticks.

But it likely remains installed on countless devices, with computer security software company McAfee calling on people to uninstall it.

‘BMI Calculation Vsn’, published by ‘PT Visionet Data Internasional,’ was promoted as a body mass index calculator tool.

Opening the app brings people to a simple page where they can punch in their weight and height to figure out their BMI.

But the so-called health application asks people if the app can record their screen the second users click the ‘calculate’ button.

The dodgy app as it was presented originally on the app store (Picture: McAfee)

The pop-up asks for the user to give the app permission to record their screens (Picture: McAfee)

A pop-up message says: ‘BMI Calculation will have access to all your information that is visible on your screen or played from your device while recording or casting.

‘This includes information such as passwords, payment details, photos, messages and audio that you play.’

McAfee, which discovered the malicious tool, said: ‘This functionality is likely to capture gesture passwords or sensitive data from other apps.’

Many users reflexively click these buttons without even reading the text in the dialogue box so they can use the app.

Once the user gives permission to the app, the malware gets to work snooping on what apps are installed so the scammer knows their victim.

‘It intercepts and collects all SMS messages received on the device, potentially to capture one-time password (OTP), verification codes and sensitive information,’ McAfee adds.

The app was styled as a BMI calculator. The NHS’ BMI calculator says someone who is 177cm tall and weighs 66kg would have a BMI of 21.1 (Picture: McAfee)

The tool’s app store kisting said it collected ‘user info’ (Picture: McAfee)

The app stores the recording of your activity in an MP4 file but does not upload the clip to the command and control (C2) server.

A C2 service is the control room for scammers. From the platform, they can send commands to the malware that crept into your device.

As this recording doesn’t make it to the cyber-crook’s server, McAfee suggested the app was still in early development when it landed on the Amazon App Store.

How to avoid falling victim to dodgy apps

As McAfee advises:

Install Trusted Antivirus Apps: Use reliable antivirus software to detect and prevent malicious apps before they can cause harm.
Review Permission Requests: When installing an app, carefully examine the permissions it requests. Deny any permissions that seem unrelated to its advertised functionality. For instance, a BMI calculator has no legitimate reason to request access to SMS or screen recording.
Stay Alert: Watch for unusual app behavior, such as reduced device performance, rapid battery drain, or a spike in data usage, which could indicate malicious activity running in the background.

The scammer likely called the developer ‘PT. Visionet Data Internasional’ to trick people into thinking it was the actual company of the same name, a respectable IT management service in Indonesia, experts believe.

McAfee rummaged through the app’s development history on VirusTotal, a kind of search engine for malware, and found it was initially made to be a screen recording app in October before being rebranded as a BMI tool.

Experts have long stressed that people should only download applications from well-known publishers. As robust as app store’s screening processes are, some creepy codes can slip through the cracks.

Developers initially made the app to be a screen recorder (Picture: McAfee)

So-called ‘dodgy’ Fire TV Sticks, for example, see vendors tinker with media streaming devices so users can pirate screaming services.

But some of these jailbroken sticks store user data on them for scammers to sell for profit, or come pre-installed with apps that sneakily allow people to tap into your home network and take control of webcams.

‘Apps like “BMI CalculationVsn” serve as a stark reminder that even the simplest tools can harbour hidden threats,’ McAfee adds.

‘By staying alert and adopting robust security measures, we can safeguard our privacy and data.’

Get in touch with our news team by emailing us at webnews@metro.co.uk.

For more stories like this, check our news page.

(Visited 1 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *