Fitbit Gallery is a one-stop-shop for approved Fitbit apps, such as Spotify or Starbucks Card. And while Fitbit manually scans all published Gallery apps for malicious code, shareable “private” apps do not get the same treatment. If someone emails you a download link for a Fitbit app, ignore it!
Fitbit allows developers to upload “private”; apps to the gallery to help with testing. Unfortunately, anyone with a download link can install a private app. Bad actors can share a private download link to spread malware for data collection, a threat identified by Kevin Breen and published by BleepingComputer.
Kevin Breen, head of threat research at Immersive Labs, uploaded a maliciously crafted private app to the gallery and used it to steal GPS location, heart rate, altitude and age data from test devices. On Android, the malicious app can also read all the calendars connected to Fitbit. Breen was even able to configure the app to scan and access network tools such as routers and firewalls, thanks to the Fitbit download API.
Thankfully, Kevin Breen sent his research to the Fitbit company, which responded by adding alerts to private app downloads. Fitbit also plans to opt out of private app permissions by default, allowing users to manually access their age, contacts and other information. As always, Fitbit Gallery apps scan for malicious code before publishing it on the public Gallery page.
Source: Kevin Breen via BleepingComputer