Investigators say they found fake apps on Google Play posing as legitimate apps for the Signal and Telegram messaging platforms. The malicious apps can pull messages or other sensitive information from legitimate accounts when users take certain actions. ArsTechnica: An app called Signal Plus Messenger was available on Play for nine months and had been downloaded from Play about 100 times before Google removed it last April after being tipped off by security firm ESET. It was also available in the Samsung app store and on signalplus[.]org, a special website that mimics the official Signal.org. An app calling itself FlyGram, meanwhile, was created by the same threat actor and was available through the same three channels. Google removed it from Play in 2021. Both apps will remain available in the Samsung store.
Both apps are built on open source code available from Signal and Telegram. Woven into that code was a spy tool, tracked as BadBazaar. The Trojan is linked to a China-affiliated hacking group tracked as GREF. BadBazaar has previously been used to target Uighurs and other Turkish ethnic minorities. The FlyGram malware was also shared in a Uyghur Telegram group, further aligning it with previous targets of the BadBazaar malware family. Signal Plus can monitor sent and received messages and contacts when people connect their infected device to their legitimate Signal number, as is normal when someone installs Signal on their device for the first time. As a result, the malicious app sent a host of private data to the attacker, including the device’s IMEI number, phone number, MAC address, operator data, location data, Wi-Fi information, emails for Google accounts, contact list, and a PIN that is used to transfer text messages if set by the user.