Hackers have developed a sneaky new tactic to push malware onto your phone and snoop on your conversations. Researchers at the cybersecurity firm ESET found fake apps in the Google and Samsung app stores that posed as extensions or premium versions of the popular messaging platforms Signal and Telegram designed to steal user data.
The malicious apps, called Signal Plus Messenger and FlyGram, could pull sensitive information from legitimate Signal and Telegram accounts, including call logs, SMS messages, locations and more, when users took certain actions.
Here’s how it works: Signal and Telegram enable users to link the mobile app to their other devices, such as their desktop or one of the best tablets. These malicious apps leverage this feature to automatically connect a compromised device to the attacker’s Signal, allowing them to spy on their communications while the user is none the wiser.
Google and Samsung have removed both apps from their respective app stores, but not before they racked up thousands of downloads. Signal Plus Messenger went live on the Play Store in July 2022 and was downloaded roughly 100 times before Google took it down in April in response to a tip from ESET, according to a report from The Hacker News. An app called FlyGram received 5,000 downloads after launching on the Play Store in June 2020 before its removal the next year.
How to protect your Android phone
That the discovery of this stealthy “auto-linking” capability has largely gone unnoticed until now is particularly concerning. If you have either Signal Plus Messenger and FlyGram downloaded on your Android phone, you should uninstall them immediately. To keep your phone safe moving forward, it’s important to download only the legitimate versions of Signal and Telegram, as well as periodically check Settings > Linked Devices to make sure no unrecognized devices pop up.
This campaign marks an unprecedented attempt to snoop on some of the most popular messaging apps in the world. Both malicious apps were built on open-source code available from Signal and Telegram. Within that code, hackers stealthily wove in the espionage tool tracked as BadBazaar, a Trojan used in previous attacks targeting Uyghurs and other Turkic ethnic minorities. ESET told the outlet it suspects the China-aligned hacking group known as GREF is behind the campaign.
“BadBazaar’s main purpose is to exfiltrate device information, the contact list, call logs, and the list of installed apps, and to conduct espionage on Signal messages by secretly linking the victim’s Signal Plus Messenger app to the attacker’s device,” security researcher Lukáš Štefanko said in an interview with The Hacker News.
In a statement to Forbes this week, Signal president Meredith Whittaker said the company was “deeply concerned for anyone who trusted and downloaded this app.” She praised Google for removing “this pernicious malware masquerading as Signal off their platform,” and urged Samsung to follow suit, which it has since.