Fake apps posing as the popular messengers Signal and Telegram have been detected in the Google Play Store and Samsung App Store. These malicious applications can intercept messages and other sensitive information from genuine user accounts.
The researchers found that an app called Signal Plus Messenger was available on the Google Play Store for nine months and was downloaded about 100 times before Google removed it last April. This happened after ESET, a company specializing in the development of antivirus software and information security solutions, reported a malicious application.
A similar app called FlyGram was created by the same attacker group and was also available through the Google Play Store, Samsung App Store and their own website. Although both apps have been removed from the Google Play Store, they are still available in the Samsung Store.
Malicious applications were created based on Signal and Telegram open-source code. Embedded in this code is a spy tool called BadBazaar. This Trojan is associated with the GREF hacker group, which is believed to be related to China. Previously, BadBazaar was used against Uyghurs and other Turkish ethnic minorities.
Signal Plus Messenger could track sent and received messages and contacts when users connect their device to their real Signal number. As a result, the malicious application sent a large amount of personal information to the attackers, including IMEI number, phone number, MAC address, carrier information, location information, WiFi information, Google account email addresses, contact list, and the PIN of the device . Code used to send texts.
ESET researcher Lukas Stefanko wrote: “Signal Plus Messenger can spy on Signal messages by abusing the device pairing feature. This spying method is unique as we have not seen similar abuse from other malware before.“. BadBazaar bypasses standard QR code scanning by obtaining the required URI from its Command and Control (C&C) server, allowing attackers to secretly associate the victim’s device with their device.