This article is more than 4 years old

Security researchers have uncovered a fake Amazon Android app that promises Black Friday deals but in reality harvests users’ personal information.

According to a post published by the Zscaler research team, the fake app is being distributed from a URL set up by the malware authors to fool victims into believing it is a legitimate Amazon site.

Indeed, as Yahoo! Tech reveals, the app in some ways appears very similar to the real Amazon Underground app, which offers users games and free apps.

Where those applications differ, however, is in their size – the real app takes up 35 MB versus the fake app’s 130 KB – and the malicious app’s URL ends in “.cc” instead of “.com” or another commonly used top-level domain (TLD).

Upon installation, the app assumes the look of an Amazon app. At the same time, however, it loads a child application called “com.android.engine”. This secondary program, which as reported by Metro does not display an icon on users’ devices, asks for a host of administrative privileges, such as the ability to access your contacts and SMS messaging.

After the child app has been successfully installed, the fake Amazon application displays the error message “Device not supported with App”, which leads the user to uninstall it.

However, the secondary app sticks around after the fake Amazon app has been removed and harvests users’ personal information, including their browser history, bookmarks, call logs, and contact details. This data is then sent to a location of the malware authors’ choosing.

As Zscaler rightly points out, people need to be careful this holiday season when shopping around for deals:

“Especially during this holiday season, consumers need to be aware of the applications they’re downloading and stay away from such fake apps,” the researchers observe. “Always install applications from legitimate app stores and websites. Be aware of the permissions asked by the application during installation. Shopping apps should not be asking for access to your contacts or SMS.”

Black Friday is dangerous enough for those who venture out and try to capitalize on retailers’ early-morning electronic deals. While these sales might be exciting, they are not worth risking your identity or personal information. Play it safe this holiday season and stay on the lookout for fraud.

Read more about the threat on the Zscaler blog.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.