Users of Telegram and Signal, two instant messaging apps famous for their emphasis on privacy, are being targeted by new malware on the Android platform. This is according to new findings by ESET cybersecurity researchers.
In a report shared with The Hacker News earlier this week, researchers said the threat actor, whom they track as GREF, created fake applications that either impersonated Signal and Telegram or presented themselves as “plus” or ” premium”.
While these apps were mostly distributed through dedicated websites, they also landed in Android’s official app repository – the Google Play Store – as well as Samsung’s official Galaxy Store. The two have since removed the malicious apps from their platforms.
Two apps discovered by the researchers were called ‘Signal Plus Messenger’ and ‘FlyGram’, the latter of which has been available since June 2020 and has since amassed more than 5,000 downloads. Both apps are still available for download via their respective standalone websites (and possibly by other means as well).
These mobile apps delivered BadBazaar spyware to their victims. BadBazaar is malicious code first discovered in November 2022, when researchers observed it being used to target the Uyghur community in China, reports The Hacker News.
The malware is designed to steal sensitive data from target endpoints including call logs, SMS messages, locations and more. It is also capable of stealing data from Signal and Telegram, including Signal PIN and Telegram chat backups. The publication claims that this is the first time that Signal users have been targeted.
The targets, however, seem to be scattered all over the world. Fatalities have been observed in Germany, Poland and the United States, but also in Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain and Yemen.
“The main purpose of BadBazaar is to steal device information, contact list, call logs and installed apps list as well as conduct spying on Signal messages by secretly linking victim’s Signal Plus Messenger app to the attacker’s device,” concluded the researchers.
Through: The news about hackers