Researchers discovered bogus apps for the Signal and Telegram communications services in Google Play on Wednesday, according to reports. When users performed specific activities, the malicious apps could steal messages or other private information from legitimate accounts.
Before Google removed a Signal Plus Messenger app from Play last April after receiving a tip from security company ESET, the software had been available on Play for nine months and had been downloaded there about 100 times. It was also accessible on signal plus[.]org, a dedicated website that resembled the original Signal.org, and on the Samsung app store. Meanwhile, the same threat actor also developed the FlyGram app, which was accessible through the same three methods. Google took it down from Play.
Trojan has been connected to the GREF hacking gang
Both applications were created using open source technology from Signal and Telegram. An intelligence gathering mechanism known as BadBazaar was incorporated into that code. The Trojan has been connected to the GREF hacking gang, which is associated with China. Uyghurs and other Turkic ethnic minorities have historically been targeted by BadBazaar. A Uyghur Telegram group also disseminated the FlyGram malware, further connecting it to prior BadBazaar malware family targets.
If users connected their infected smartphone to their real Signal number, as is typical when someone initially instals Signal on their device, Signal Plus could monitor sent and received messages as well as contacts.
When this happened, the malicious app sent the attacker a ton of personal data, including the device’s IMEI number, phone number, MAC address, operator information, location data, Wi-Fi information, emails for Google accounts, contact information, and, in the event that one had been set up by the user, a PIN used to send texts.
Exclusively for specifically targeted people
The creators of Signal have been alerted of this weakness by ESET Research. Threat actors can modify the code of any messaging app and advertise it in a fraudulent or misleading way, according to the encrypted messaging service. In this scenario, the fake Signal and Telegram client could easily block that code path to avoid the warning and hide if the official Signal clients were to show a notification everytime a new device is joined to the account.
Downloading only authentic versions of such programs, only from official sources, is the best way to avoid falling prey to a fake Signal—or any other malicious messaging app.
According to the information previously given by the malware to the C&C server, the server hasn’t returned to the device a URI for linking throughout our research, indicating this is likely enabled exclusively for specifically targeted people.
