A security researcher discovered that malicious apps for Fitbit devices can be uploaded to the legitimate Fitbit domain and users can install them from private links. With some social engineering, hackers could take advantage of this and trick users into adding apps to obtain the wealth of personal information typically collected from Fitbit device sensors or the phone. The researcher included in the app code that could steal device details, personal body data, and would allow a connection to company connections for ill-intended actions. On iOS, the permission to access the calendar was not active by default.
Source: https://www.bleepingcomputer.com/news/security/fitbit-gallery-can-be-used-to-distribute-malicious-apps/