Beware of fake oximeter apps claiming to measure your blood oxygen levels. These may end up stealing confidential data!
On Tuesday, the Tamil Nadu Police issued an advisory over social media warning citizens that such fake apps may steal personal or biometric data from their mobile phones.
Once the user downloads the fake app which claims to test blood oxygen levels using fingerprint sensors, it asks for permission to access various features of the mobile. The app can scan photographs and misuse the data for fraudulent activities. Such apps can also read inbox messages, bank alert messages, OTPs and steal other confidential data of users.
States like Maharashtra, Gujarat and Punjab have in the past warned people about such fraud.
According to the police advisory, SpO2 blood oxygen sensor is required to measure the blood oxygen levels accurately. This is not present in smartphones.
These apps claim to measure the blood oxygen level by placing the finger on the camera and illuminating the finger using torch light. During this process, the malicious apps could capture the fingerprint. The cybercriminals could also steal your biometric information from the fingerprint scanners in the phone and they could be used to gain access to banking and other sensitive applications on the phone.
The fraudsters could also use your fingerprint data to replicate your thumb impression and authenticate Aadhaar Enabled Payment System (AEPS) transactions from the account, the advisory said.
The police department urged people to install applications only from trusted sources. If the biometric information was compromised, they have asked people to disable biometric authentication for AEPS transaction.
This app asks for contacts and SMS permission which seems unnecessary for an app that would check oxygen saturation level. It accesses contacts and sends a link to every contact in the system via SMS and WhatsApp message, which is hosted on some mega account which on download turns out to be a trojan-banker, warned anti-virus service provider Quick Heal in its blog.
Interestingly, last month CERT-In (the Indian Computer Emergency Response Team), a government-mandated IT security organisation, warned that a fake SMS message was in circulation that falsely claimed to offer an app to let users register for Covid-19 vaccine in India.
The SMS message carries a link that installs a malicious app on android-based devices, which essentially spreads itself via SMS to victims’ contacts. The app also gains unnecessary permission that attackers could leverage to acquire user data such as contact list.
The malicious android app under circulation with different name such as Covid-19.apk; VAci_Regis.apk; MyVaccin_v2.apk; Cov-Regis.apk and Vccin-Apply.apk, said the advisory.