This Simple Android App Proves Anything Can Contain Malware

How much damage can a BMI calculator app do to your phone? It turns out that it's not what the app can do, but what it hides in its code that you should be concerned about. This is the case of an app uploaded to the Amazon Appstore that contained spyware that was discovered by McAfee.

McAfee Detects Malware Glitch in BMI App on Amazon Appstore

As McAfee discovered, the malicious app pretends to be a simple BMI calculator. Sure enough, when you download it, it does exactly that. You can enter your height and weight, and the app will tell you whether your BMI is in a healthy range or not.

However, something strange happens when you click 'Calculate'. Suddenly, the app asks you to allow it to record your screen. Given the location of the permission request, it seems like cybercriminals want to take advantage of people's impatience and accept any pop-up that appears to get their BMI results.

 

If the user accepts this request, the app will start recording the target's screen, presumably to steal any private information the user enters into the app. The malicious app may also record SMS messages (presumably to steal 2FA codes) and get a list of target apps.

When McAfee analyzed the code, they found that the app had all the means to collect data, but it wasn't actually sending it anywhere. It's unclear whether the cybercriminals wanted to keep it a secret and wait for more downloads before activating the feature, or whether they simply forgot about it. Either way, the app was taken down before it could do any damage.

While we were lucky this time, not all malicious apps will be detected like this. Always be careful when downloading apps, even if they seem simple and are offered on official app stores! If an app asks for Android permissions it doesn't need (like screen recording permission for the BMI app), deny it; who knows what the app could collect if you allow it.