Signal and Telegram users: spy on fake apps from China 

Signal and Telegram users: Spying on fake apps from China - Image by Gerd Altmann on Pixabay

Share post

Chinese hackers are accessing personal user data using fake messenger apps. This includes message content, contact details and call logs. Particularly perfidious: The two bugs disguised as legitimate apps were available via the official app stores Google Play and Samsung Galaxy Store.

The applications are still available from the Korean manufacturer. By May 2023, the hackers targeted thousands of users around the world. A main target is Germany. The team led by ESET researcher Lukas Stefanko has discovered the two apps “Signal Plus Messenger” and “FlyGram”, which disguise themselves as legitimate Signal and Telegram messengers. Both install BadBazaar spyware, which has previously been used to oppress Uyghurs and other minorities in China.

Fake apps for Signal and Telegram

The spy apps have the same functions as the original apps: users can use them to write messages and send pictures without arousing suspicion. Both applications were removed from the Google Play Store after they were discovered by ESET, but they were still available in the Samsung Galaxy Store for a long time. The fake apps can still be found on various sites with apps and APKs.

How the hackers operated

Signal and Telegram are open source applications. This means that anyone can view and change your source code. Hackers took advantage of this by adding their malicious code to the functioning basic structure of the messengers. They then published them in the app stores. The advantage for cybercriminals with this method is that the “new” app has the same functionality as the original, giving the appearance of legality. In practice, users do not notice any difference to the official application.

After launching Signal Messenger Plus for the first time, the user needs to log in just like the official Signal app for Android. The malware then connects to the hackers’ servers. The app spies on messages by misusing the “Connect device” function. This is done by automatically connecting the compromised device to the attacker's Signal device. This spying method is unique in that this feature has never been abused by malware until now.

Fake Telegram app FlyGram

The victim also logs in to the fake Telegram app FlyGram, as the official messenger requires. Even before registration is complete, FlyGram and the BadBazaar malware have the opportunity to steal sensitive information from the device. FlyGram can access Telegram backups if the user has enabled a specific feature added by the hackers. This feature was active in at least 13.953 user accounts. Attackers are able to use FlyGram to log some metadata, such as contact lists, call logs, and device and network information. However, the hackers do not have access to data and messages sent in Telegram.

Users worldwide affected

🔎 The fake apps for Signal and Telegram were most widespread in these countries (Image: ESET).

ESET has registered fake app activity in many countries and regions. Android devices in Europe are particularly affected, especially Germany and Poland. The malware is also active in Australia, South America, Africa and North and South America. Additionally, cybercriminals distributed a link to FlyGram in the Google Play Store in a Uyghur Telegram group. Apps from the BadBazaar malware family have previously been used against Uyghurs and other Turkic-speaking ethnic minorities outside of China.

Beware of apps from unknown developers

When installing messenger services and other apps, users should always pay attention to the developer or the company behind the service. If in doubt, you should always choose the official manufacturer. The two fake messengers can still be downloaded from the Samsung Galaxy Store and various third-party sites. Under no circumstances are users allowed to install them on their smartphones. It is also advisable to use a security app, including on mobile devices. This prevents downloading or installing the app at an early stage and prevents infection of the system.

More at


About ESET

ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit or follow us on LinkedIn, Facebook and Twitter.


Matching articles on the topic

Cybersecurity platform with protection for 5G environments

Cybersecurity specialist Trend Micro unveils its platform-based approach to protecting organizations' ever-expanding attack surface, including securing ➡ Read more

Data manipulation, the underestimated danger

Every year, World Backup Day on March 31st serves as a reminder of the importance of up-to-date and easily accessible backups ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

Windows operating systems: Almost two million computers at risk

There are no longer any updates for the Windows 7 and 8 operating systems. This means open security gaps and therefore worthwhile and ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

DSPM product suite for Zero Trust Data Security

Data Security Posture Management – ​​DSPM for short – is crucial for companies to ensure cyber resilience against the multitude ➡ Read more

Data encryption: More security on cloud platforms

Online platforms are often the target of cyberattacks, such as Trello recently. 5 tips ensure more effective data encryption in the cloud ➡ Read more