Google removes fake Signal and Telegram apps hosted on Play
Google removes fake Signal and Telegram apps hosted on Play
Expand
Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images
Researchers said on Wednesday they found fake apps on Google Play, posing as legitimate apps for messaging platforms Signal and Telegram. Malicious apps could extract messages or other sensitive information from legitimate accounts when users performed certain actions.
An app called Signal Plus Messenger had been available on Play for nine months and had been downloaded from Play around 100 times before Google removed it last April after being warned by security firm ESET. It was also available in the Samsung App Store and on signalplus[.]org, a dedicated website mimicking the official Signal.org. An app called FlyGram, meanwhile, was created by the same malicious actor and was available through the same three channels. Google removed it from Play in 2021. Both apps remain available in the Samsung store.
Both apps were built on open source code available from Signal and Telegram. This code contained a spy tool identified as BadBazaar. The Trojan has been linked to a China-aligned hacking group and tracked as GREF. BadBazaar has previously been used to target Uyghurs and other ethnic Turkish minorities. The FlyGram malware was also shared in a Uyghur Telegram group, further aligning it with the previous targeting of the BadBazaar malware family.
Signal Plus could monitor sent and received messages and contacts if people connect their infected device to their legitimate Signal number, as is normal when someone first installs Signal on their device. This caused the rogue app to send a wealth of private information to the attacker including the device's IMEI number, phone number, MAC address, carrier details, location data , Wi-Fi information, emails from Google accounts, contact list and a PIN code used to transfer SMS in case this has been configured by the user.
The following screenshot shows information in transit from the infected device to the attacking server:
Enlarge / BadBazaar uploads device information to its C&C server.
ESET
Signal Plus also abused a legitimate Signal feature that links the running device's signal to a desktop computer or iPad so users can send and receive text messages on a wider range of devices. The linking process requires a user to download the desktop or iPad app and, once installed, use it to display a QR code that links to a unique key, such as sgnl://linkdevice?uuid=fV2MLK3P_FLFJ4HOpA&pub_key= 1cCVJIyt2uPJK4fWvXt0m6XEBN02qJG7pc%2BmvQa. Signal Plus represents the first known instance of an app spying on a victim's Signal communications by automatically and secretly linking the compromised device to the attacker's Signal device.
Lukas Stefanko, researcher at ESET, wrote:
Signal Plus Messenger can spy on Signal messages by misusing the device link feature. It does this by automatically connecting the compromised device to the attacker's Signal device. This spying method is unique, as we have never seen this feature misused before by other malware, and it is the only method by which the attacker can obtain the contents of Signal messages.
BadBazaar, the spying malware, bypasses the usual process of scanning the QR code and clicking the user by receiving the necessary URI from its C&C server and directly triggering the necessary action when the Bind Device button is clicked. This allows the malware to secretly link the victim's smartphone to the attacker's device, allowing it to spy on Signal communications without the victim's knowledge, as shown in Figure 12.
Expand
Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images
Researchers said on Wednesday they found fake apps on Google Play, posing as legitimate apps for messaging platforms Signal and Telegram. Malicious apps could extract messages or other sensitive information from legitimate accounts when users performed certain actions.
An app called Signal Plus Messenger had been available on Play for nine months and had been downloaded from Play around 100 times before Google removed it last April after being warned by security firm ESET. It was also available in the Samsung App Store and on signalplus[.]org, a dedicated website mimicking the official Signal.org. An app called FlyGram, meanwhile, was created by the same malicious actor and was available through the same three channels. Google removed it from Play in 2021. Both apps remain available in the Samsung store.
Both apps were built on open source code available from Signal and Telegram. This code contained a spy tool identified as BadBazaar. The Trojan has been linked to a China-aligned hacking group and tracked as GREF. BadBazaar has previously been used to target Uyghurs and other ethnic Turkish minorities. The FlyGram malware was also shared in a Uyghur Telegram group, further aligning it with the previous targeting of the BadBazaar malware family.
Signal Plus could monitor sent and received messages and contacts if people connect their infected device to their legitimate Signal number, as is normal when someone first installs Signal on their device. This caused the rogue app to send a wealth of private information to the attacker including the device's IMEI number, phone number, MAC address, carrier details, location data , Wi-Fi information, emails from Google accounts, contact list and a PIN code used to transfer SMS in case this has been configured by the user.
The following screenshot shows information in transit from the infected device to the attacking server:
Enlarge / BadBazaar uploads device information to its C&C server.
ESET
Signal Plus also abused a legitimate Signal feature that links the running device's signal to a desktop computer or iPad so users can send and receive text messages on a wider range of devices. The linking process requires a user to download the desktop or iPad app and, once installed, use it to display a QR code that links to a unique key, such as sgnl://linkdevice?uuid=fV2MLK3P_FLFJ4HOpA&pub_key= 1cCVJIyt2uPJK4fWvXt0m6XEBN02qJG7pc%2BmvQa. Signal Plus represents the first known instance of an app spying on a victim's Signal communications by automatically and secretly linking the compromised device to the attacker's Signal device.
Lukas Stefanko, researcher at ESET, wrote:
Signal Plus Messenger can spy on Signal messages by misusing the device link feature. It does this by automatically connecting the compromised device to the attacker's Signal device. This spying method is unique, as we have never seen this feature misused before by other malware, and it is the only method by which the attacker can obtain the contents of Signal messages.
BadBazaar, the spying malware, bypasses the usual process of scanning the QR code and clicking the user by receiving the necessary URI from its C&C server and directly triggering the necessary action when the Bind Device button is clicked. This allows the malware to secretly link the victim's smartphone to the attacker's device, allowing it to spy on Signal communications without the victim's knowledge, as shown in Figure 12.
Expand
Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images
Enlarge / BadBazaar uploads device information to its C&C server.
ESET
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
