Mobiles have become an essential part of our life and lifestyle. With mobiles come the apps. For everything from chatting to creating short videos for sharing on social media to financial transactions, there are plenty of apps to choose from. While most of these apps are free, sometimes, mobile users assume that downloading and using an app with a 'plus' or 'pro' tag or a modified (mod) app downloaded from torrent sites would provide more features. But this is not true. In fact, hackers are found planting apps under the pretext of offering more features than the official ones.
Fake apps planted by hackers on official app stores like the Google Play Store can be particularly challenging to identify, as they often masquerade as legitimate apps.
Researchers at security software and services-provider ESET say they found spying apps in the Google Play Store masquerading as legitimate ones for the Signal and Telegram messaging platforms. These malicious apps could pull messages or other sensitive information from legitimate accounts when users take certain actions.
Signal Plus Messenger app was available on Google Play for nine months and on the Samsung app store. Many users downloaded this app before it was removed. Similarly, an app calling itself FlyGram (mimicking Telegram) was created by the same threat actor and was available through these platforms.
Signal Plus Messenger and FlyGram were built on open-source code from Signal and Telegram.
According to ESET
, Signal Plus Messenger represents the first documented case of spying on a victim's Signal communications by secretly auto-linking the compromised device to the attacker's Signal device. "The malicious code found in these apps is attributed to the BadBazaar malware family, which has been used in the past by a China-aligned advanced persistent threat (APT) group called GREF. Thousands of users downloaded the spy apps. ESET telemetry reported detections on Android devices in several EU countries, the US, Ukraine, and other places worldwide."
ESET researcher Lukáš Štefanko, who made the discovery, says, "Malicious code from the BadBazaar family was hidden in trojanised Signal and Telegram apps, which provide victims with a working app experience but with espionage happening in the background. BadBazaar's main purpose is to exfiltrate device information, the contact list, call logs, and the list of installed apps, and to conduct espionage on Signal messages by secretly linking the victim's Signal Plus Messenger app to the attacker's device."
Explaining the modus operandi of these spy apps, ESET says once logged in, Signal Plus Messenger starts to communicate with its command and control (C&C) server. Signal Plus Messenger can spy on Signal messages by misusing the 'link device' feature. It automatically connects the compromised device to the attacker's Signal device.
"This method of spying is unique. ESET researchers have not seen this functionality being misused before by other malware, and this is the only method by which the attacker can obtain the content of Signal messages," it added.
FlyGram is one step ahead of Signal Plus Messenger. It starts communicating with the C&C server even before the login is complete, thus allowing BadBazaar the ability to exfiltrate sensitive information from the device. "FlyGram can access Telegram backups if the user has enabled a specific feature added by the attackers; the feature was activated by at least 13,953 user accounts. The attacker's proxy server may be able to log some metadata, but it cannot decrypt the actual data and messages exchanged within Telegram itself. Unlike the Signal Plus Messenger, FlyGram lacks the ability to link a Telegram account to the attacker or intercept the encrypted communications of its victims," ESET says.
Identifying fake or fraudulent mobile apps is essential for protecting your privacy and security.
Here are some steps you can take to identify such apps...
• Before downloading an app, check its reviews and ratings. Be wary of apps with few or no reviews, or apps with mostly negative reviews. Read some of the reviews to see if users have reported any suspicious activity.
• Look at the developer's name and website. Established developers are more likely to have legitimate apps. Be cautious if the developer's name or website looks suspicious or unfamiliar.
• Be cautious of apps that appear to be clones of popular apps. Hackers sometimes create fake versions of well-known apps to trick users into downloading them. Compare the app's name, logo, and developer information to the official version.
• Evaluate whether the app's purpose matches its description and functionality. If it promises too much or offers something too good to be true, it may be a scam.
• Avoid clicking on suspicious links or ads that prompt you to download an app from an unofficial source.
• If something does not feel right about an app, trust your instincts and avoid downloading it. It is better to be cautious than to risk compromising the security of your device and your privacy.
• During app installation, review the permissions and the app requests. Be cautious if an app asks for unnecessary or excessive permissions unrelated to its functionality. For example, a calculator app should not seek access to your contacts or camera on the mobile.
• Install good mobile security software on your device. These security apps can help detect and protect against malware, including fake and malicious apps.
• Ensure your device's operating system and apps are up-to-date. Security updates often include patches for vulnerabilities that hackers may exploit.
• Periodically review the apps installed on your device. If you find any unfamiliar or suspicious apps, uninstall them immediately.
Staying vigilant and practising good cybersecurity habits is crucial in protecting your mobile device from fake apps and other security threats.
However, remember the steps mentioned above are for your basic guidance only. This is because detecting fake mobile apps planted by hackers is challenging, as cybercriminals are becoming increasingly sophisticated in their methods. So, you must remain cautious and alert while downloading and using any app.
Stay Alert, Stay Safe!