Fake messengers Signal and Telegram have infiltrated Google Play Store
Software

Fake messengers Signal and Telegram have infiltrated Google Play Store and other app stores

Fake apps posing as the popular messengers Signal and Telegram have been detected in the Google Play Store and Samsung App Store. These malicious applications can intercept messages and other sensitive information from genuine user accounts.

    Image source: Mohamed_hassan / Pixabay

Image source: Mohamed_hassan / Pixabay

The researchers found that an app called Signal Plus Messenger was available on the Google Play Store for nine months and was downloaded about 100 times before Google removed it last April. This happened after ESET, a company specializing in the development of antivirus software and information security solutions, reported a malicious application.

A similar app called FlyGram was created by the same attacker group and was also available through the Google Play Store, Samsung App Store and their own website. Although both apps have been removed from the Google Play Store, they are still available in the Samsung Store.

Malicious applications were created based on Signal and Telegram open-source code. Embedded in this code is a spy tool called BadBazaar. This Trojan is associated with the GREF hacker group, which is believed to be related to China. Previously, BadBazaar was used against Uyghurs and other Turkish ethnic minorities.

    BadBazaar Trojan downloads information about an infected device to cybercriminals' servers (Image source: ESET)

BadBazaar Trojan downloads information about an infected device to cybercriminals’ servers (Image source: ESET)

Signal Plus Messenger could track sent and received messages and contacts when users connect their device to their real Signal number. As a result, the malicious application sent a large amount of personal information to the attackers, including IMEI number, phone number, MAC address, carrier information, location information, WiFi information, Google account email addresses, contact list, and the PIN of the device . Code used to send texts.

    Mechanism for attackers to gain access to victim's communications in Signal (Image source: ESET)

Mechanism for attackers to gain access to victim’s communications in Signal (Image source: ESET)

ESET researcher Lukas Stefanko wrote: “Signal Plus Messenger can spy on Signal messages by abusing the device pairing feature. This spying method is unique as we have not seen similar abuse from other malware before.“. BadBazaar bypasses standard QR code scanning by obtaining the required URI from its Command and Control (C&C) server, allowing attackers to secretly associate the victim’s device with their device.

About the author

Robbie Elmers

Robbie Elmers is a staff writer for Tech News Space, covering software, applications and services.

Add Comment

Click here to post a comment