Black Friday deals? Nope, this fake Amazon Android app only harvests your personal data

David bisson
David Bisson
@
@DMBisson

Security researchers have uncovered a fake Amazon Android app that promises Black Friday deals but in reality harvests users’ personal information.

Fake Amazon app

According to a post published by the Zscaler research team, the fake app is being distributed from a URL set up by the malware authors to fool victims into believing it is a legitimate Amazon site.

Indeed, as Yahoo! Tech reveals, the app in some ways appears very similar to the real Amazon Underground app, which offers users games and free apps.

Sign up to our free newsletter.
Security news, advice, and tips.

Where those applications differ, however, is in their size – the real app takes up 35 MB versus the fake app’s 130 KB – and the malicious app’s URL ends in “.cc” instead of “.com” or another commonly used top-level domain (TLD).

Amazon app comparison

Upon installation, the app assumes the look of an Amazon app. At the same time, however, it loads a child application called “com.android.engine”. This secondary program, which as reported by Metro does not display an icon on users’ devices, asks for a host of administrative privileges, such as the ability to access your contacts and SMS messaging.

App permissions

After the child app has been successfully installed, the fake Amazon application displays the error message “Device not supported with App”, which leads the user to uninstall it.

However, the secondary app sticks around after the fake Amazon app has been removed and harvests users’ personal information, including their browser history, bookmarks, call logs, and contact details. This data is then sent to a location of the malware authors’ choosing.

As Zscaler rightly points out, people need to be careful this holiday season when shopping around for deals:

“Especially during this holiday season, consumers need to be aware of the applications they’re downloading and stay away from such fake apps,” the researchers observe. “Always install applications from legitimate app stores and websites. Be aware of the permissions asked by the application during installation. Shopping apps should not be asking for access to your contacts or SMS.”

Black Friday is dangerous enough for those who venture out and try to capitalize on retailers’ early-morning electronic deals. While these sales might be exciting, they are not worth risking your identity or personal information. Play it safe this holiday season and stay on the lookout for fraud.

Read more about the threat on the Zscaler blog.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Black Friday deals? Nope, this fake Amazon Android app only harvests your personal data”

  1. Sean Durrant

    Is this app in the official Google Play Store?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.