Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Fake Signal and Telegram apps with spyware found on Google Play

Malware-riddled versions of encrypted instant messaging apps Signal and Telegram have been discovered on Google Play and Samsung Galaxy Store.

user icon Daniel Croft
Thu, 31 Aug 2023
Fake Signal and Telegram apps with spyware found on Google Play
expand image

The apps, which contained the BadBazaar spyware, were believed to have been uploaded to the app marketplaces by the China-based GREF APT hacking group.

“Signal Plus Messenger” and “FlyGram” were posted to the app marketplaces promising to be legitimate versions of the Signal and Telegram apps, respectively. However, both had been patched with the malware.

To add legitimacy to the apps, the threat actors had also set up websites promoting both of the apps, with “signalplus[.]org” and “flygram[.]org” featuring links to download the apps directly or from Google Play.

============
============

FlyGram was first posted to Google Play in July 2020, being later removed on 6 January 2021. It had 5,000 installations.

Signal Plus Messenger was posted on July 2022 and was only recently taken down on 23 May 2023.

Both apps are still available on the Samsung Galaxy Store at the time of writing.

The Trojanised versions of the apps were discovered by ESET researcher Lukáš Štefanko, who says that the BadBazaar spyware featured in both was designed to collect a wide range of data from victims.

“BadBazaar’s main purpose is to exfiltrate device information, the contact list, call logs, and the list of installed apps, and to conduct espionage on Signal messages by secretly linking the victim’s Signal Plus Messenger app to the attacker’s device,” he said.

Previously, BadBazaar had targeted ethnic minorities in China, but ESET has discovered that attackers using the malware had targeted users worldwide, including in Poland, Spain, Germany, Portugal, Ukraine, Hong Kong, the Netherlands, and the US.

Through FlyGram, the malware targeted call logs, Google Accounts, Wi-Fi, data, contact lists and also advertised a backup feature that sends Telegram comms data to a server controlled by the threat actors. Reports show that 13,953 or more users enabled this feature.

Signal Plus Messenger works more specifically to collect app-specific information, such as communications history and PIN numbers.

In addition, it allows an attacker to link a victim’s account to an attacker’s device, allowing future chat messages to be seen. This is done by bypassing the QR-code feature that Signal features, allowing users to link multiple devices to an account.

“This method of spying is unique: ESET researchers haven’t seen this functionality being misused before by other malware, and this is the only method by which the attacker can obtain the content of Signal messages,” said ESET.

“ESET Research has informed Signal’s developers about this loophole.”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.