the Fitbit Gallery is a one-stop-shop for approved Fitbit apps, like Spotify or Starbucks Card. And while Fitbit manually scans all published Gallery apps for malware, shareable “private” apps don’t get the same treatment. If someone emails you a download link for a Fitbit app, ignore them!
Fitbit allows developers to upload “private” apps to the Gallery for easier testing. Unfortunately, anyone with a download link can install a private app. Bad actors can share a private download link to distribute data collection malware, a threat identified by Kevin Breen and publicized by BleepingComputer.
Kevin Breen, Director of Threat Research at Immersive laboratories, successfully downloaded a malicious private app from Gallery and used it to steal GPS location, heart rate, height and age data from test devices. On Android, the malicious app can also read all calendars connected to Fitbit. Breen could even configure the app to scan and access network tools like routers and firewalls, thanks to the Fitbit fetch API.
Fortunately, Kevin Breen submitted his research to the Fitbit company, which responded by adding warnings to private app downloads. Fitbit also plans to turn off private app permissions by default, giving users the choice to manually provide access to their age, contacts, and other information. As always, Fitbit scans Gallery apps for malicious code before they are posted on the Gallery’s public page.
Source: Kevin Breen via BleepingComputer