ESET warns of the spread of fake Telegram and Signal apps that aim to spy on victims. According to ESET’s telemetry, samples have been detected on Android devices in Ukraine, several EU countries, the United States, and other countries.
Thousands of users have already downloaded the dangerous apps. The spyware was distributed through Google Play, Samsung Galaxy Store, and specialized websites.
The fake versions, in addition to the functionality of the Signal and Telegram apps, also have malicious code added by the attackers. The spyware was named FlyGram and Signal Plus Messenger. The former has been distributed since July 2020, the latter since July 2022. At the same time, Signal Plus Messenger is the first recorded case of spying on Signal users’ messages. Both apps were later removed from Google Play. This dangerous activity is associated with the Chinese APT group GREF.
“The BadBazaar malware was hidden in fake Signal and Telegram apps that have all the usual functionality, while spying takes place in the background,” said Lukasz Sztefanko, ESET researcher. “The main goal of BadBazaar is to obtain device information, contact list, call logs, and list of installed apps, as well as spy on Signal messages by covertly connecting the Signal Plus Messenger app to the attacker’s device.
According to ESET’s telemetry, the threats have been detected in Australia, Brazil, Denmark, the Democratic Republic of the Congo, Germany, Hong Kong, Hungary, Lithuania, the Netherlands, Poland, Portugal, Singapore, Spain, Ukraine, the United Kingdom, the United States, and Yemen.
As a partner of the Google App Defense Alliance, ESET immediately shared its findings with Google upon detecting the Signal Plus Messenger malware. The app was then removed from the store. Both apps were created by the same developer and have the same malicious features, and the app descriptions in both stores link to the same developer’s website.
After the initial launch of the application, the user has to log in to Signal Plus Messenger, just like in the official Signal Android application. Once logged in, Signal Plus Messenger starts to communicate with its command and control (C&C) server. Signal Plus Messenger can spy on messages by unauthorized use of the “Linked Devices” feature. This is done by automatically connecting the compromised device to the attacker’s device.
This method of spying is unique because ESET researchers have not previously documented the use of this feature by an attacker. It is also the only method by which an attacker can access the content of messenger messages. ESET researchers notified Signal developers of this method.
In the case of the fake Telegram app, namely FlyGram, the victim must log in as required by the official Telegram app. Even before the login is completed, FlyGram starts communicating with the command server, and BadBazaar is able to intercept sensitive information from the device. FlyGram can access Telegram backups if the user has enabled a specific feature added by the attackers. The feature was activated by at least 13,953 user accounts.
The attacker’s proxy server can record some metadata, but it cannot decipher the actual data and messages exchanged on Telegram itself. Unlike Signal Plus messenger, FlyGram does not have the ability to link a Telegram account to an attacker or intercept encrypted messages from its victims.
Due to the danger of further spread of dangerous programs, ESET experts recommend downloading apps from official stores, monitoring the permissions you grant to apps, and installing solutions to protect your computers and mobile devices from various threats.
