Chinese hackers are accessing personal user data using fake messenger apps. This includes message content, contact details and call logs. Particularly perfidious: The two bugs disguised as legitimate apps were available via the official app stores Google Play and Samsung Galaxy Store.
The applications are still available from the Korean manufacturer. By May 2023, the hackers targeted thousands of users around the world. A main target is Germany. The team led by ESET researcher Lukas Stefanko has discovered the two apps “Signal Plus Messenger” and “FlyGram”, which disguise themselves as legitimate Signal and Telegram messengers. Both install BadBazaar spyware, which has previously been used to oppress Uyghurs and other minorities in China.
Fake apps for Signal and Telegram
The spy apps have the same functions as the original apps: users can use them to write messages and send pictures without arousing suspicion. Both applications were removed from the Google Play Store after they were discovered by ESET, but they were still available in the Samsung Galaxy Store for a long time. The fake apps can still be found on various sites with apps and APKs.
How the hackers operated
Signal and Telegram are open source applications. This means that anyone can view and change your source code. Hackers took advantage of this by adding their malicious code to the functioning basic structure of the messengers. They then published them in the app stores. The advantage for cybercriminals with this method is that the “new” app has the same functionality as the original, giving the appearance of legality. In practice, users do not notice any difference to the official application.
After launching Signal Messenger Plus for the first time, the user needs to log in just like the official Signal app for Android. The malware then connects to the hackers’ servers. The app spies on messages by misusing the “Connect device” function. This is done by automatically connecting the compromised device to the attacker's Signal device. This spying method is unique in that this feature has never been abused by malware until now.
Fake Telegram app FlyGram
The victim also logs in to the fake Telegram app FlyGram, as the official messenger requires. Even before registration is complete, FlyGram and the BadBazaar malware have the opportunity to steal sensitive information from the device. FlyGram can access Telegram backups if the user has enabled a specific feature added by the hackers. This feature was active in at least 13.953 user accounts. Attackers are able to use FlyGram to log some metadata, such as contact lists, call logs, and device and network information. However, the hackers do not have access to data and messages sent in Telegram.
Users worldwide affected
ESET has registered fake app activity in many countries and regions. Android devices in Europe are particularly affected, especially Germany and Poland. The malware is also active in Australia, South America, Africa and North and South America. Additionally, cybercriminals distributed a link to FlyGram in the Google Play Store in a Uyghur Telegram group. Apps from the BadBazaar malware family have previously been used against Uyghurs and other Turkic-speaking ethnic minorities outside of China.
Beware of apps from unknown developers
When installing messenger services and other apps, users should always pay attention to the developer or the company behind the service. If in doubt, you should always choose the official manufacturer. The two fake messengers can still be downloaded from the Samsung Galaxy Store and various third-party sites. Under no circumstances are users allowed to install them on their smartphones. It is also advisable to use a security app, including on mobile devices. This prevents downloading or installing the app at an early stage and prevents infection of the system.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.