New Android spyware targets Signal and Telegram users

News
By Sead Fadilpašić
published

By posing as legitimate apps, malware sneaked into thousands of mobile phones

Messaging
(Image credit: Future)

Users of Telegram and Signal, two instant messaging apps popular for their emphasis on privacy, are being targeted with novel malware on the Android platform. This is according to new findings from cybersecurity researchers ESET.

In a report shared with The Hacker News earlier this week, the researchers said that the threat actor, which they track as GREF, created fake applications that either impersonated Signal and Telegram or posed as “plus” or “premium” versions. 

While these apps were mostly distributed through dedicated websites, they even made it into Android’s official app repository - Google Play Store - as well as Samsung’s official Galaxy Store. The two have since removed the malicious apps from their platforms.

BadBazaar

Two apps that the researchers discovered were named “Signal Plus Messenger”, and “FlyGram”, with the latter being available since June 2020 and amassing more than 5,000 downloads since then. Both apps are still available for download through their respective standalone websites (and possibly other means, too).

These mobile apps delivered the BadBazaar spyware to their victims. BadBazaar is a piece of malicious code first discovered in November 2022, when researchers observed it being used to target the Uyghur community in China, The Hacker News reports. 

Read more

> This stalkerware tracked thousands of Android and iPhones

> Stalkerware tycoon told to alert victims, pay major fine

> These are the best ID theft protection solutions around today

The malware is designed to steal sensitive data from target endpoints, including call logs, SMS messages, locations, and more. It’s also capable of stealing data from Signal and Telegram, including Signal PIN and Telegram’s chat backups. The publication claims this is the first time Signal users were targeted.

The targets seem to be scattered all over the world, though. Victims were observed in Germany, Poland, and the U.S., but also in Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain, and Yemen.

"BadBazaar's main purpose is to exfiltrate device information, the contact list, call logs, and the list of installed apps, and to conduct espionage on Signal messages by secretly linking the victim's Signal Plus Messenger app to the attacker's device," the researchers concluded.

Edit, September 7, 2023: A Samsung spokesperson reached out to TechRadar with the following statement: “The apps FlyGram and Signal Plus Messenger have already been removed from the Galaxy Store, and are no longer available for download.”

Via: The Hacker News

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.