New Android spyware targets Signal and Telegram users


Users of Telegram and Signal, two instant messaging apps popular for their emphasis on privacy, are being targeted with novel malware on the Android platform. This is according to new findings from cybersecurity researchers ESET.

In a report shared with The Hacker News earlier this week, the researchers said that the threat actor, which they track as GREF, created fake applications that either impersonated Signal and Telegram or posed as “plus” or “premium” versions.

While these apps were mostly distributed through dedicated websites, they even made it into Android’s official app repository - Google Play Store - as well as Samsung’s official Galaxy Store. The two have since removed the malicious apps from their platforms.


Two apps that the researchers discovered were named “Signal Plus Messenger”, and “FlyGram”, with the latter being available since June 2020 and amassing more than 5,000 downloads since then. Both apps are still available for download through their respective standalone websites (and possibly other means, too).

These mobile apps delivered the BadBazaar spyware to their victims. BadBazaar is a piece of malicious code first discovered in November 2022, when researchers observed it being used to target the Uyghur community in China, The Hacker News reports.

Read more

> This stalkerware tracked thousands of Android and iPhones

> Stalkerware tycoon told to alert victims, pay major fine

> These are the best ID theft protection solutions around today

The malware is designed to steal sensitive data from target endpoints, including call logs, SMS messages, locations, and more. It’s also capable of stealing data from Signal and Telegram, including Signal PIN and Telegram’s chat backups. The publication claims this is the first time Signal users were targeted.

The targets seem to be scattered all over the world, though. Victims were observed in Germany, Poland, and the U.S., but also in Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain, and Yemen.

"BadBazaar's main purpose is to exfiltrate device information, the contact list, call logs, and the list of installed apps, and to conduct espionage on Signal messages by secretly linking the victim's Signal Plus Messenger app to the attacker's device," the researchers concluded.

Via: The Hacker News