Key Findings
- Fake Signal and Telegram apps have been distributed through the Google Play Store and Samsung Galaxy Store.
- The apps are designed to steal user data, including contact lists, call logs, and device information.
- The apps were created by a Chinese APT known as GREF, while malicious code found in these apps is attributed to the BadBazaar malware.
- The apps were initially targeted at users in China, but have since expanded to other countries.
- If you have installed Signal Plus Messenger or FlyGram, you should remove them from your phone.
- Before uninstalling the apps, make sure to unlink your Signal and Telegram accounts to prevent further data exposure.
Cybersecurity researchers have warned of fake Signal and Telegram apps that have been distributed through the Google Play Store and Samsung Galaxy Store. The apps, which are called Signal Plus Messenger and FlyGram, are designed to steal user data, including contact lists, call logs, and device information.
Signal Plus Messenger, a bogus version of the popular Signal app, managed to slip under the radar for nine months in the Google Play Store. It garnered over 100 downloads before Google finally removed it from the app storefront.
FlyGram, developed by the same threat actor, followed a similar trajectory but was removed in 2021. The Slovak cybersecurity firm ESET has identified these apps as malicious versions of Signal and Telegram, designed to deliver malware to unsuspecting users.
These fake apps were more than just imitations; they were sophisticated tools for cyber espionage. In a blog post, ESET researchers mentioned that the counterfeit Telegram app could harvest basic device information, sensitive data, Google accounts, and call logs. Additionally, it had a feature enabling it to back up data to a remote server controlled by the attacker.
The malicious Signal Plus app, on the other hand, could monitor both incoming and outgoing messages, transmitting them to a remote server for unauthorized access. To appear legitimate, dedicated websites were created for both apps, complete with links for direct installation from the Google Play Store.
The apps were created by a China-based hacking group known as GREF. GREF, also know as APT15, Ke3chang, Mirage, Vixen Panda and Playful Dragon, was also pointed out in July 2020 over the China’s insidious surveillance against Uyghurs with Android malware
Back in March 2018, these same threat actors were also found targeting a UK Government Contractor to steal military technology secrets. GREF is know the BadBazaar malware and in this campaign, the malicious code found in these apps is also attributed to the BadBazaar malware.
This should not be surprising, as another Chinese APT group, Smishing Triad, was recently reported to be carrying out a large-scale smishing campaign against users in the United States. This attack involved impersonating leading mail and delivery services.
Initially, users in China were the primary targets of these fake apps. However, the threat has since expanded to include users in Ukraine, Poland, the Netherlands, Spain, Portugal, Germany, Hong Kong, and the United States.
If you’ve unwittingly installed Signal Plus Messenger or FlyGram, removing them from your phone is crucial. However, exercise caution when doing so. Before uninstalling these apps, make sure to unlink your Signal and Telegram accounts to prevent further data exposure. Google has labeled these apps as malicious and capable of stealing personal information.
Some quick tips for staying safe from fake apps
- Only download apps from official app stores, such as the Google Play Store and the Apple App Store.
- Be wary of apps that ask for more permissions than they need.
- Read the reviews of an app before you download it.
- Keep your apps updated.
- Regularly scan your device for malware using a security app.