A lightweight app comes with some heavy consequences, researchers say

An app supposedly built for calculating a person’s body mass index (BMI) is actually information-stealing malware, according to researchers.

“BMI CalculationVsn” is the latest example of malicious software sneaked into an app store under the guise of being a simple tool for consumers. Spotted on the Amazon Appstore by researchers at antivirus company McAfee, the app was actually an infostealer with the ability to record screen activity, steal text messages and survey the list of the other apps on the device.

“McAfee reported the discovered app to Amazon, which took prompt action, and the app is no longer available on Amazon Appstore,” the researchers said. The app store caters to Android device users.

Evidence on malware repository VirusTotal shows that BMI CalculationVsn is still under development, McAfee said. It was first unveiled in October 2024 as a screen recording app, but later became the BMI calculator, and the message-stealing capability was only recently added.

It’s unclear how many users downloaded the app. Not much is known about the developers.

“The malware author tricked users by abusing the names of an enterprise IT management service provider in Indonesia to distribute this malware on Amazon Appstore,” McAfee said. “This fact suggests that the malware author may be someone with knowledge of Indonesia.”

Malicious hackers persistently try to sneak tainted apps into traditional platforms, with examples including clones of the messaging app Telegram; bogus Android tools intended for memory training, astronomy enthusiasts and more; cryptocurrency stealers masquerading as QR code scanners; and banking trojans disguised as PDF readers and other tools.