Eset warns of the spread of fake Telegram and Signal applications, the purpose of which is to spy on victims. Dangerous programs have already been downloaded by thousands of users. Spyware applications were distributed through Google Play stores, Samsung Galaxy Store and specialized websites. According to telemetry data, the samples were detected on Android devices in Ukraine, several EU countries, the USA and other countries.
In addition to the capabilities of Signal and Telegram, fake versions also have malicious code added by attackers. The spyware programs were named FlyGram and Signal Plus Messenger. The first spread from July 2020, the second – from July 2022. At the same time, Signal Plus Messenger is the first recorded case of spying on the messages of Signal users. Both apps were later removed from Google Play. This dangerous activity is linked to the Chinese APT group GREF.
The main purpose of the BadBazaar malware is to obtain device information, contact list, call logs, and list of installed applications, as well as to spy on Signal messages by surreptitiously connecting the Signal Plus Messenger application to the attacker’s device.
After the initial launch of the app, the user has to sign in to Signal Plus Messenger, just like in the official Signal app for Android. After logging in, the application starts exchanging data with its command and control (C&C) server. It can spy on messages by using the “Tethered Devices” feature without authorization. This is done by automatically connecting the compromised device to the attacker’s device.
This espionage method is unique, as Eset researchers have not previously documented the use of this feature by attackers. It is also the only method by which an attacker can gain access to the content of messenger messages. Eset researchers informed the Signal developers about the detected problem.
In the case of the fake Telegram app namely FlyGram, the victim has to log in as required by the official Telegram app. Before the login is complete, FlyGram begins exchanging data with the command server, and BadBazaar is able to intercept sensitive information from the device. FlyGram can access Telegram backups if a user has enabled a certain feature added by attackers. The feature has been activated by at least 14,000 user accounts.
The attacker’s proxy can log some metadata, but it cannot decipher the actual data and messages exchanged within Telegram itself. Unlike the Signal Plus messenger, FlyGram has no way to link a Telegram account to an attacker or intercept encrypted messages from its victims.
Due to the danger of the further spread of dangerous programs, experts recommend that you download programs from official stores, monitor the permissions you give to programs, and install solutions to protect your computers and mobile devices from various threats.