As 2025 kicked off, many people set their sights on self-improvement—especially health and fitness goals. But cybercriminals saw an opportunity.
A malicious Android app called “BMI CalculationVsn” was recently discovered on Amazon’s Appstore. Disguised as a simple BMI calculator, it tricked users into downloading what appeared to be a useful self-care tool. Instead, it was a phishing scam designed to steal personal data by requesting excessive permissions and running hidden spyware functions.
Cybercriminals know exactly when to strike—like after New Year’s resolutions are pledged, when people are excited about losing weight and joining their local gym and less likely to question a “helpful” new app.
A perfectly-timed attack
The app’s timing was no accident. Researchers found that it originally launched in October 2024 as a screen recorder before rebranding as a BMI calculator in January 2025, right when health-conscious consumers were seeking new fitness apps.
While the Amazon Appstore is smaller than Google Play or Apple’s App Store, it is still considered a trusted source for Android users. This incident proves that even official app stores can be compromised, highlighting the need for alertness when downloading apps.
How the scam worked
Once installed, the BMI calculator app asked for unnecessary permissions like:
Access to SMS messages
Viewing other installed apps
Screen recording capabilities
These permissions allowed the bad app to silently collect user data. Researchers also discovered that this app was linked to “PT. Visionet Data Internasional,” a fraudulent entity pretending to be a legitimate Indonesian IT firm.
Fake fitness app’s claims vs. What it did
Feature
What It Claimed to Do
What It Actually Did
BMI Calculator
Calculate BMI based on height and weight
Stole user data via excessive permissions
Fitness Tracking
Help users set health goals
Ran spyware functions in the background
Personalization
Adapt BMI results to user input
Sent stolen data to unknown servers
Amazon’s response
Cybersecurity researchers flagged the app, prompting Amazon to remove it from the app store. However, users who had already installed it are still at risk until they manually delete it.
Advice for app developers
While the fake BMI calculator app targeted end-users, it highlights a growing threat to legitimate app developers. Bad actors reverse-engineer “official” apps all the time, modifying them and redeploying them as malicious clones on app stores. This poses serious security risks to users who may unknowingly download an impostor.
Cybercriminals often use attack tools such as decompilers and debuggers to break down an app’s code, analyze its logic, and repackage it with their own modifications—often embedding malware in the process. Once republished on an app store, it can look nearly identical to the original, misleading users into downloading a compromised version.
To prevent attackers from tampering with your legitimate app, developers should implement multi-layered security measures that make reverse engineering significantly harder for the simple reason that fake apps don’t just hurt users; they can directly impact app development businesses by damaging brand reputation, eroding user trust, or causing loss of revenue. Worse, if a cloned app successfully infects devices, users may blame the legitimate developer, assuming their original app is responsible.
By investing in robust app shielding, developers can safeguard their work, protect their users, and stay ahead of emerging threats in an era where cybercriminals are always looking for new ways to exploit vulnerabilities.
The Net Net
Cybercriminals don’t need blunt-force attacks to disrupt lives; they just need unwitting consumers to download the wrong app. The fake BMI calculator proves that even something as innocent as a fitness app can be a Trojan horse for misdirection and theft.
For developers, this story serves as a warning. If you’re not actively protecting your mobile apps from reverse engineering and cloning, someone else might be repackaging it with fraudulent intent. Strengthening app security isn’t just about compliance—it’s about protecting your end users, your reputation, and your business. In a world where trust is easily exploited, a well-secured app may just be your best defense.
Stay informed and secure
Get the latest insights on emerging cyber threats and in-app security measures to protect your fitness apps. Stay one step ahead of hackers by signing up for our newsletter now!
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Commentary
Fake Fitness: The BMI App That Was a Spyware Trap
Table of Contents
As 2025 kicked off, many people set their sights on self-improvement—especially health and fitness goals. But cybercriminals saw an opportunity.
A malicious Android app called “BMI CalculationVsn” was recently discovered on Amazon’s Appstore. Disguised as a simple BMI calculator, it tricked users into downloading what appeared to be a useful self-care tool. Instead, it was a phishing scam designed to steal personal data by requesting excessive permissions and running hidden spyware functions.
Cybercriminals know exactly when to strike—like after New Year’s resolutions are pledged, when people are excited about losing weight and joining their local gym and less likely to question a “helpful” new app.
A perfectly-timed attack
The app’s timing was no accident. Researchers found that it originally launched in October 2024 as a screen recorder before rebranding as a BMI calculator in January 2025, right when health-conscious consumers were seeking new fitness apps.
While the Amazon Appstore is smaller than Google Play or Apple’s App Store, it is still considered a trusted source for Android users. This incident proves that even official app stores can be compromised, highlighting the need for alertness when downloading apps.
How the scam worked
Once installed, the BMI calculator app asked for unnecessary permissions like:
These permissions allowed the bad app to silently collect user data. Researchers also discovered that this app was linked to “PT. Visionet Data Internasional,” a fraudulent entity pretending to be a legitimate Indonesian IT firm.
Fake fitness app’s claims vs. What it did
Amazon’s response
Cybersecurity researchers flagged the app, prompting Amazon to remove it from the app store. However, users who had already installed it are still at risk until they manually delete it.
Advice for app developers
While the fake BMI calculator app targeted end-users, it highlights a growing threat to legitimate app developers. Bad actors reverse-engineer “official” apps all the time, modifying them and redeploying them as malicious clones on app stores. This poses serious security risks to users who may unknowingly download an impostor.
Cybercriminals often use attack tools such as decompilers and debuggers to break down an app’s code, analyze its logic, and repackage it with their own modifications—often embedding malware in the process. Once republished on an app store, it can look nearly identical to the original, misleading users into downloading a compromised version.
To prevent attackers from tampering with your legitimate app, developers should implement multi-layered security measures that make reverse engineering significantly harder for the simple reason that fake apps don’t just hurt users; they can directly impact app development businesses by damaging brand reputation, eroding user trust, or causing loss of revenue. Worse, if a cloned app successfully infects devices, users may blame the legitimate developer, assuming their original app is responsible.
By investing in robust app shielding, developers can safeguard their work, protect their users, and stay ahead of emerging threats in an era where cybercriminals are always looking for new ways to exploit vulnerabilities.
The Net Net
Cybercriminals don’t need blunt-force attacks to disrupt lives; they just need unwitting consumers to download the wrong app. The fake BMI calculator proves that even something as innocent as a fitness app can be a Trojan horse for misdirection and theft.
For developers, this story serves as a warning. If you’re not actively protecting your mobile apps from reverse engineering and cloning, someone else might be repackaging it with fraudulent intent. Strengthening app security isn’t just about compliance—it’s about protecting your end users, your reputation, and your business. In a world where trust is easily exploited, a well-secured app may just be your best defense.
Stay informed and secure
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Share this cybersecurity insight
Other cybersecurity insights
Cybersecurity Threat Roundup #22: Copybara, Crocodilus, Lucid, and more
SparkKitty: A Silent Threat in ‘Trusted’ Apps
WestJet Breach Shows Why Downtime Is a Business Killer
Darcula’s Digital Playbook: The Global Scam That’s Redefining Mobile Threats