Malicious Signal and Telegram Clones Found on Google Play

By Ava McKinneyOnline Safety

Malicious Signal and Telegram Clones Discovered on Google Play

Security company ESET has reported that trojan-infected clones of the Signal and Telegram messaging apps were found in the Google Play Store and Samsung Galaxy Store. These fake apps contained the BadBazaar spyware and were distributed by the Chinese hacker group GREF.

Previously, BadBazaar malware was used in attacks targeting ethnic minorities in China, but its targets have now expanded to users in Poland, the Netherlands, Ukraine, Spain, Portugal, Germany, Hong Kong, and the United States.

Capabilities of BadBazaar Spyware

ESET expert Lukáš Štefanko, who discovered the malicious apps, explained that BadBazaar can:

  • Track the exact location of the infected device
  • Steal call logs and SMS messages
  • Record phone calls
  • Take photos using the device’s camera
  • Steal contact lists, files, and databases

How the Attack Worked

The apps used in this campaign were named Signal Plus Messenger and FlyGram. Both were modified versions of the popular open-source messengers Signal and Telegram. The attackers also created fake websites, signalplus[.]org and flygram[.]org, to make their apps appear legitimate. Users were encouraged to download the fake apps either from the app stores or directly from these websites.

FlyGram was designed to steal sensitive data, including contact lists, call logs, Google accounts, and Wi-Fi information. The malware also offered a backup feature that sent Telegram communication data directly to the hackers’ server. Analysis showed that at least 13,953 FlyGram users enabled this dangerous backup feature, but the total number of victims remains unknown.

Signal Plus Messenger collected similar information but focused on extracting Signal-specific data, such as the victim’s messages and the PIN code that protects the account from unauthorized access.

Exploiting Signal’s Device Linking Feature

The fake Signal app also included a feature that allowed attackers to link the victim’s Signal account to their own device, enabling them to view future chat messages. Signal has a legitimate feature that uses QR codes to link multiple devices to one account, allowing users to access messages on any linked device. The malicious Signal Plus Messenger abused this feature by bypassing the QR code process and automatically linking the attacker’s device to the victim’s account.

According to ESET, “The BadBazaar spyware bypasses the usual QR code scanning and button press by obtaining the necessary URI from its C&C server and directly triggering the required action when the ‘Link device’ button is pressed. This allows the spyware to secretly link the victim’s smartphone to the attacker’s device and monitor Signal communications without the victim’s knowledge.”

Timeline and Impact

  • FlyGram was uploaded to Google Play in July 2020 and removed on January 6, 2021, after accumulating over 5,000 installs.
  • Signal Plus Messenger was uploaded to Google Play and the Samsung Galaxy Store in July 2022. Google removed the malware on May 23, 2023.

Unfortunately, as of the time of ESET’s report, both apps were still available in the Samsung Galaxy Store.

Summary of BadBazaar-Infected App Distribution

  • Malicious clones of Signal and Telegram were distributed via Google Play and Samsung Galaxy Store.
  • Apps were promoted through fake websites to appear legitimate.
  • Thousands of users may have been affected, with sensitive data stolen and accounts compromised.

Leave a Reply