Watch out for fake oximeter applications that claim to measure blood oxygen levels. This could end up stealing confidential information!
On Tuesday, Tamil Nadu police issued advice via social media, warning citizens that such fake applications could steal personal or biometric data from their mobile phones.
Once a user downloads a fake app that claims to test blood oxygen levels using a fingerprint sensor, he seeks permission to access various features of the cell phone. The app can scan photos and misuse data for dishonest activities. Such applications can also read incoming mail messages, bank alert messages, OTPs and steal other confidential user data.
States like Maharashtra, Gujarat and Punjab have warned people of such scams in the past.
According to the police advisor, a SpO2 blood oxygen sensor is needed to accurately measure blood oxygen levels. This is not present in smartphones.
These apps claim to measure blood oxygen levels by placing a finger on the camera and illuminating the finger with a torch light. During this process, malicious applications were able to capture the fingerprint. Cybercriminals could also steal your biometric data from a fingerprint scanner in your phone and could be used to access banking and other sensitive applications on your phone.
Fraudsters could also use your fingerprint data to copy your thumbprint and verify the authenticity of Aadhaar Payment Payment System (AEPS) transactions from your account, the advisor said.
The police administration called on people to install applications only from reliable sources. If biometric information was compromised, they asked people to disable biometric authentication for the AEPS transaction.
This app requires permission for contacts and SMS which seems unnecessary for an app to check the oxygen saturation level. It accesses contacts and sends a link to every contact in the system via SMS and WhatsApp message, which is hosted on a mega account that turns out to be a Trojan banker when downloaded, the antivirus service provider Quick Heal warned on its blog.
Interestingly, last month CERT-In (Indian Computer Emergency Response Team), a government organization for information security, appointed by the government, warned that a fake SMS message was circulating claiming to offer an application that allows users to register for the Covid-19 vaccine India.
The SMS contains a link that installs the malicious application on Android-based devices, and which is basically spread via SMS to the victims’ contacts. The app also gets unnecessary approval that attackers could use to collect user data like a contact list.
A malicious android application in circulation with another name, such as Covid-19.apk; VAci_Regis.apk; MyVaccin_v2.apk; Cov-Regis.apk and Vccin-Apply.apk, the advisor said.