Instant messaging apps, Telegram, and Signal have exploded in popularity in recent years due to their convenience, encryption capabilities, and "privacy focus". However, while the official versions of these apps can be somehow trusted, modified versions found on app stores like Google Play have increasingly been found to contain dangerous spyware.
These trojanized messenger mods are often advertised as faster, more optimized, or feature-rich versions of the original apps. Sadly, the reality is that these modded versions are often designed to steal users' sensitive data like messages, files, contacts, location, and more.
An Ongoing Issue: Malware Disguised as Legitimate Apps
While Google and Apple thoroughly vet the apps published on their official stores, malware still consistently slips through the cracks. Cybercriminals have become adept at making their spyware-loaded apps appear legitimate.
For example, a recent investigation found over 60 dangerous apps on the Google Play Store with over 100 million total downloads before they were removed. The apps included banking Trojans, adware, and spyware posing as legitimate software.
Hackers take advantage of the open-source nature of apps like Telegram and Signal. They inject malware into the code and publish forked versions to app stores. The interface, branding, and descriptions closely mimic the real app to avoid raising red flags.
Infected Telegram Mods Targeting Chinese Users
Researchers at Kaspersky uncovered infected Telegram apps on Google Play posing as Chinese and Uyghur language versions of Telegram. The malware secretly sent users' messages, files, contacts, device info, and other Telegram data to a command and control server.
The apps advertised faster speeds than the official Telegram app to entice downloads. Their interface and language-specific branding gave no indication of the spyware lurking within.
Trojanized Signal and Telegram Apps Found on Google Play
In August 2022, security researchers discovered another dangerous campaign involving trojanized Signal and Telegram apps on Google Play and Samsung Galaxy Store.
A fake Telegram app called FlyGram, which was advertised as an alternative to telegram, and a spoofed Signal app dubbed Signal Plus Messenger contained the full functionality of the legitimate apps, along with spyware capabilities:
- FlyGram could steal contacts, call logs, app lists, Wi-Fi data, files, and trick users into sending Telegram data to attacker servers.
- Signal Plus covertly linked victims' app accounts to attacker devices, allowing real-time interception of chat messages.
Both apps were attributed to the GREF Chinese hacking group and used an Android spyware called BadBazaar. Though Google removed the apps from their store in early 2023, Samsung's store still hosted them months later.
1.5 Million Downloads of Spyware Apps on Google Play
In one of the most far-reaching spyware campaigns, researchers discovered two Android apps on Google Play with over 1.5 million combined downloads transmitting user data to China.
The utility apps File Recovery and File Manager contained hidden spyware that extracted contacts, photos, location, device details, and other personal information.
The apps had high permissions and used tricks like disabled icons to avoid deletion. They were removed from Google Play after the spyware was uncovered. However, countless victims likely remain unaware of the data theft.
How Spyware Messenger Mods Work
While the capabilities vary by threat actor, the core spyware functionality remains consistent across infected messenger mods:
- The apps look visually identical to the real version, using official branding, logos, and descriptions.
- Installation and account registration matches the real process, with language localization in some cases.
- The malicious apps operate normally, allowing messaging, file sharing, and other expected features.
- In the background, code extracts sensitive data from the device like contacts, messages, photos, location, etc.
- Exfiltrated data gets encrypted and transmitted to a command and control server owned by the hackers behind the spyware.
- Advanced capabilities like linking attacker devices to victim accounts for live message interception are sometimes implemented.
- Auto-launch, disabled icons, and uninstall protection make the apps persistent on infected devices.
Threat actors go great lengths in making these apps seem authentic on the surface while stealthily stealing data behind the scenes. These tactics allow malware to remain undetected for long periods.
Avoiding Spyware in Messenger Apps
The prevalence of trojanized apps on official mobile app stores highlights the importance of smartphone security hygiene. Follow these tips to avoid having your private conversations and info compromised:
- Only download apps from trusted sources like Google Play and Apple App Store. However, vigilance is still needed.
- Prioritize using the official app versions for messaging services like WhatsApp, Signal, Telegram etc. Avoid "mods."
- Check app reviews, ratings, uninstall rates, and developer details before downloading.
- Install a mobile security app to scan for potential malware and spyware.
- Be selective in granting app permissions that could expose messages, contacts, camera, location, etc.
- Keep messaging apps updated to the latest secure versions.
- Watch for suspicious activity like device overheating, fast battery drain, or sluggish performance as possible infection indicators.
- Periodically review linked devices and authorized sessions in app settings to check for unauthorized access.
- Enable remote wipe capabilities in case your device is lost or stolen.
Exercising caution when downloading apps, limiting permissions, and running mobile antivirus can help avoid falling prey to the growing threat of spyware camouflaged as popular messaging platforms.
Moving Forward: Enhanced App Store Security Needed
The incidents covered in this post reveal an unpleasant truth - Google Play, Samsung Galaxy Store, and other mobile app platforms continue to harbor spyware-infected apps that put millions of users at risk.
For their part, Google does remove discovered malware from their store and uses screening tools like Play Protect. However, these protections are proving insufficient against more sophisticated hackers.
Apple's rigorous App Store review process also blocks most malicious apps, but a few still slip through. Overall, the growing scale and sophistication of malware calls for enhanced security measures and threat hunting across major mobile app stores.
Consumers, you and me, must exercise caution and avoid downloading unvetted apps, especially messaging app mods, to protect their smartphones and data. Stay vigilant and use trusted cybersecurity software for optimal defense against mobile spyware threats.
