Hackers Bypass App Store Protection to Launch Fitbit Spyware that Steal Data From Watch Face

Recently, the hackers managed to bypass the protection of the app store to launch the Fitbit spyware that steals the data from Watch’s face. The security researchers affirmed that the Fitbit markets’ robustness is the trackers, which can control a users’ heart rate, calorie intake, and exercise assemblies, amongst other data.

It is a kind of device that are congenial with a number of apps that can be downloaded from its authentic website and many other app stores; even the customers can also download the watch faces.

We all know that the malware attacks are increasing at a rapid rate, and now according to the reports, attackers are targeting the health-related devices and their data.

What could the malicious app do?

Now the question arises here that what could the malicious app do? Accordingly, it could send the following data to the operators behind this spyware:-

  • Device type
  • Location
  • User’s Gender
  • User’s Age
  • User’s Height
  • User’s Heart rate
  • User’s Weight. 
  • Calendar data.

But all these data don’t include the PII profile data; here, the calendar invites could reveal all the additional data such as names and locations. 

According to the Report, the Fitbit application API reveals access to specific device sensors, such as GPS, heart rate, accelerometer, and body presence.

It also reveals a limited personal API from which we can know the age, height, weight, sex, and average heart rate. However, this API can easily connect to the internet and read all the calendar events if it is synced.

Legitimate-looking fitbit{.}com URL for delivery

We all know that The Fitbit gallery is a division of the company website that has been specifically designed to display all Fitbit apps and watch faces.

That’s why the security researchers have claimed that it is very easy to publish the malicious watch face to a gallery.fitbit.com URL. As anybody can do so just by using a dashboard that has been used by development teams to study all the apps. 

Fitbit’s Response

On this matter, Fitbit has replied both politely and promptly. That’s why every security researcher knows all the facts better than many companies. As the experts have affirmed that apps that have been submitted to the Fitbit Gallery for public download must undergo a manual review.

After a proper review, it can get clear that if the spyware or applications are masquerading and are likely to be get caught and be blocked from being issuing. However, this procedure is one of the standard methods, and at the time of writing this report, the ill-disposed watch face was still publicly accessible.


The Fitbit recommended few security measures to all its users, and here they are:-

  • They encourage all the users to only install applications from authorized sources only. 
  • Users should know and trust and have a proper mindful thought of the data they’re sharing with third parties. 
  • Stop using any third-party stores.

Moreover, Fitbit said that they believe that the trust of our customers is paramount, and they are committed to protect and guard the consumer privacy and preserving the data safe.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Hackers Installing Spyware on Android Devices That Masquerading as TikTok”Pro”

Beware!! Hackers Launching New Sophisticated Android Spyware “ActionSpy” via phishing Attacks

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.