One way to sabotage security is to pretend to be that security.
A secure messaging app is an app that provides end-to-end encryption of texts. The encryption would, for example, enable China-based users of the app to complain to other China-based users about the viciousness of the Chinese Communist Party without either participant getting arrested an hour later—at least not because of the content of the encrypted messages, which cannot be read by third parties who intercept them. Signal has its shortcomings, like the requirement that users provide their phone numbers, and these shortcomings may make it unsuitable for certain users. But within its limits, the messenger app we call Signal is regarded as a secure platform.
Unless it’s a bogus Signal app that has been planted in an app store by Chinese hackers designed to ensnare persons concerned about security. Thomas Brewster of Forbes reports (August 30, 2023):
A fake version of the private messaging app Signal has found a way onto Google Play [and other Android stores] and appears to be linked to a Chinese spy operation, researchers claimed on Wednesday. . . .
The standard version of Signal allows users to link the mobile app to their desktop or Apple iPad. The malicious Signal Plus Messenger abused that feature by automatically connecting the compromised device to the attacker’s Signal in the background, so all messages were passed onto their account, [Lukas] Stefanko told Forbes. That happens “without the user noticing anything or accepting any notification, it is all done in silence,” he said. According to Stefanko, who published a blog and a YouTube video on the machinations of the attack, this was the first documented case of spying on a victim’s Signal via secret “autolinking.”
Stefanko is a researcher for the cypersecurity firm ESET. A couple of years ago, ESET discovered another fake secure messenger app that had made its way into Android app stores, FlyGram, apparently coded by the same bad guy or bad guys responsible for Signal Plus Messenger. According to Stefanko’s welivesecurity post, FlyGram can extract a range of data, including contact lists and call logs, but not the Telegram contact list or messages.
Nevertheless, if users enable a specific FlyGram feature that allows them to back up and restore Telegram data to a remote server controlled by the attackers, the threat actor will have full access to these Telegram backups, not only the collected metadata.
On the other hand:
Signal Plus Messenger collects similar device data and sensitive information; its main goal, however, is to spy on the victim’s Signal communications—it can extract the Signal PIN number that protects the Signal account, and misuses the link device feature that allows users to link Signal Desktop and Signal iPad to their phones. This spying approach stands out due to its uniqueness, as it differs from the functionality of any other known malware.
Stefanko reports that Google Play removed FlyGram some time after January 6, 2021. It removed Signal Plus Messenger on May 23, 2023, almost a month after ESET reported the problem. But: “At the time of writing [August 30, 2023], both apps are still available on the Samsung Galaxy Store.”
