A researcher reverse-engineered an AiTURE fidget spinner Android app and discovered that it was collecting and sending data from other apps to a server in China, without the user’s knowledge or consent. AiTURE was developed by the Chinese firm, Shenzhen Heaton Technology Co. Ltd, and uses Bluetooth connectivity for the user’s smartphone. After the spinner app is installed and connected, users create their own patterns and start fidgeting.
After reverse-engineering the Bluetooth communication between the spinner and the app, the researcher discovered “a huge chunk of data” being transmitted to a Chinese server. The app sends all of the information from the phone’s installed apps to the server in clear text.
It’s possible that the transmitted data could be used to target ads or send remote exploits to 0-days found on the phone’s other apps. The app only has between 1,000-1,500 installs so far, but “it still poses a significant threat to its users since it sends all the information on installed apps along with their version and installation time.”
Android users are again reminded to be very cautious about downloading “unnecessary apps” from the Play Store, and especially from third-party stores.