Security News > 2023 > August > Trojanized Signal, Telegram apps found on Google Play, Samsung Galaxy Store

ESET researchers have identified two active campaigns targeting Android users, where the threat actors behind the tools for Telegram and Signal are attributed to the China-aligned APT group GREF. Most likely active since July 2020 and since July 2022, respectively for each malicious app, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites posing as legitimate encrypted chat applications - the malicious apps are FlyGram and Signal Plus Messenger.

Threat actors exploit fake Signal and Telegram apps.

The threat actors achieved the functionalities in the fake Signal and Telegram apps by patching the open-source Signal and Telegram apps for Android with malicious code.

Signal Plus Messenger is the first documented case of spying on a victim's Signal communications; thousands of users downloaded the spy apps.

"Malicious code from the BadBazaar family was hidden in trojanized Signal and Telegram apps, which provide victims a working app experience but with espionage happening in the background," says ESET researcher Lukáš Štefanko, who made the discovery.

As a Google App Defense Alliance partner, ESET identified the most recent version of the Signal Plus Messenger as malicious and promptly shared its findings with Google.

News URL

https://www.helpnetsecurity.com/2023/08/31/fake-signal-telegram-apps/