JAKARTA - A fake application disguised as Signal and Telegram was found by researchers on the Google Play Store as well as the Samsung Galaxy Store, which contains Bad Bazaar spyware.

BadBazaar itself has the ability to track the device's location appropriately, steal call logs or SMS, record phone calls, take pictures using cameras, export contact lists, and steal files or databases.

This malware was previously used to target ethnic minorities in China, but this time researchers from ESET security firm Lukas Stefanko found attackers targeting users in Ukraine, Poland, the Netherlands, Spain, Portugal, Germany, Hong Kong, and the United States (US).

The two fake apps, listed as Signal Plus Messenger, were downloaded about 100 times before Google deleted them last April after being notified of ESET.

It is also available in Samsung app stores and on signalplusdotorg, a special website that imitates the official Signal.org. There is also a fake Telegram application called FlyGram, has been downloaded 5,000 times and made by the same threat actors and is available through three similar channels.

Google removed it from 2021. However, these two applications are still available on the Samsung Galaxy Store. From the results of the research, Signal Plus Messenger and FlyGram were created based on the available open source code from Signal and the original Telegram. Embedded into that code is BadBazaar.

FlyGram malware is also shared in the Telegram Uyghur group. The app targets sensitive data such as contact lists, call logs, Google Accounts, WiFi data and offers malicious backup features to send Telegram communication data to attacker-controlled servers.

While Signal Plus Messenger, can monitor messages and contacts sent and received if people connect infected devices to their Signal valid numbers, as usual when someone first installs apps on devices.

This causes fake apps to send a number of personal information to attackers, including device IMEI numbers, phone numbers, MAC addresses, operator details, location data, Wi-Fi information, emails for Google accounts, contact lists, and PINs used to transfer text when it is set by the user.

"Signal Plus Messenger can spy on Signal messages by abusing the features of the link device. This is done by automatically connecting the compromised device to the attacker Signal device," Stefanko said, quoted from ArsTechnica and BleepingComputer, Thursday, August 31.

"This espionage method is unique, because we have never seen this function misused before by other malware, and this is the only method attackers use to get Signal message content," he added.

Stefanko explained that BadBazaar can bypass the usual QR code scan and click process of the user by receiving a URI from its C&C server, and immediately trigger the required action when the device's link button is clicked.

"This allows malware to secretly connect victims' smartphones to attackers' devices, allowing them to spy on Signal communications without the victim's knowledge," Stefanko said.

He added that during the study, the server had not returned the URI to be linked to the device, which showed it was most likely only enabled for specific targeted users, based on data previously sent by the malware to the C&C server.

"The only way to prevent being a victim of fake Signal or other malicious messaging apps is to download only the official version of the application, only from official channels," said Stefanko.


The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)