The Fitbit Gallery is a one-stop shop for approved Fitbit apps, like Spotify or Starbucks Card. And while Fitbit manually scans all published Gallery apps for malware, shareable “private” apps don’t get the same treatment. If someone emails you a download link for a Fitbit app, ignore it!
Fitbit lets developers upload “private” apps to the Gallery to aide in testing. Unfortunately, anyone with a download link can install a private app. Bad actors can share a private download link to spread data-collecting malware, a threat identified by Kevin Breen and publicized by BleepingComputer.
Kevin Breen, threat research director at Immersive Labs, successfully uploaded a malicious private app to the Gallery and used it to steal GPS location, heart rate, height, and age data from test devices. On Android, the malicious app could also read any calendars connected to the Fitbit. Breen could even configure the app to scan and access network tools like routers and firewalls, thanks to the Fitbit fetch API.
Thankfully, Kevin Breen submitted his research to the Fitbit company, which responded by adding warnings to private app downloads. Fitbit also plans to opt-out private app permissions by default, giving users the choice to manually provide access to their age, contacts, and other information. As always, Fitbit scans Gallery apps for malicious code before they’re published to the public Gallery page.
Source: Kevin Breen via BleepingComputer