Date: 12/19/2024
Severity: High
Summary
With smartphones playing a central role in daily life, malicious apps have become more deceptive and sophisticated. Recently, we identified a seemingly innocent app called “BMI CalculationVsn” on the Amazon Appstore, which secretly stole package names of installed apps and intercepted incoming SMS messages while posing as a health tool. McAfee reported the app to Amazon, which swiftly removed it from the platform.
Indicators of Compromise (IOC) List
Domains\Urls : | https://www.amazon.com/PT-Visionet-Data-Internasional-CalculationVsn/dp/B0DK1B7ZM5/ https://firebaseinstallations.googleapis.com/v1/projects/testmlwr-d4dd7 https://6708c6e38e86a8d9e42ffe93.mockapi.io/ testmlwr-d4dd7.appspot.com |
Hash : |
8477891c4631358c9f3ab57b0e795e1dcf468d94a9c6b6621f8e94a5f91a3b6a |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\Urls : | userdomainname like "https://www.amazon.com/PT-Visionet-Data-Internasional-CalculationVsn/dp/B0DK1B7ZM5/" or url like "https://www.amazon.com/PT-Visionet-Data-Internasional-CalculationVsn/dp/B0DK1B7ZM5/" or userdomainname like "https://firebaseinstallations.googleapis.com/v1/projects/testmlwr-d4dd7" or url like "https://firebaseinstallations.googleapis.com/v1/projects/testmlwr-d4dd7" or userdomainname like "https://6708c6e38e86a8d9e42ffe93.mockapi.io/" or url like "https://6708c6e38e86a8d9e42ffe93.mockapi.io/" or userdomainname like "testmlwr-d4dd7.appspot.com" or url like "testmlwr-d4dd7.appspot.com" |
Hash : |
sha256hash IN ("8477891c4631358c9f3ab57b0e795e1dcf468d94a9c6b6621f8e94a5f91a3b6a") |
Reference:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spyware-distributed-through-amazon-appstore/