Fake Signal and Telegram Apps in the Google Play Store

Google removed fake Signal and Telegram apps from its Play store.

An app with the name Signal Plus Messenger was available on Play for nine months and had been downloaded from Play roughly 100 times before Google took it down last April after being tipped off by security firm ESET. It was also available in the Samsung app store and on signalplus[.]org, a dedicated website mimicking the official Signal.org. An app calling itself FlyGram, meanwhile, was created by the same threat actor and was available through the same three channels. Google removed it from Play in 2021. Both apps remain available in the Samsung store.

Both apps were built on open source code available from Signal and Telegram. Interwoven into that code was an espionage tool tracked as BadBazaar. The Trojan has been linked to a China-aligned hacking group tracked as GREF. BadBazaar has been used previously to target Uyghurs and other Turkic ethnic minorities. The FlyGram malware was also shared in a Uyghur Telegram group, further aligning it to previous targeting by the BadBazaar malware family.

Signal Plus could monitor sent and received messages and contacts if people connected their infected device to their legitimate Signal number, as is normal when someone first installs Signal on their device. Doing so caused the malicious app to send a host of private information to the attacker, including the device IMEI number, phone number, MAC address, operator details, location data, Wi-Fi information, emails for Google accounts, contact list, and a PIN used to transfer texts in the event one was set up by the user.

This kind of thing is really scary.

Tags: , , , , ,

Posted on September 14, 2023 at 7:05 AM19 Comments

Comments

IsItJustAPlayStoreForThem? September 14, 2023 9:13 AM

An app with the name Signal Plus Messenger was available on Play for nine months

Why is it always (well, 99% of the time) Google Play store and not the Apple App store that has this cr*p?

Really they should take their job seriously, whether running a “Play Store” or not.

Clive Robinson September 14, 2023 10:04 AM

@ IsItJustAPlayStoreForThem, ALL,

Re : It’s ROI at work.

“Why is it always … Google Play store and not the Apple App store”

Apple is not as popular as it once was and whilst it may be the phone that has the highest purchase rate… When you add up all the Android phones etc there are more of them than there are iPhones.

Also it’s argued that developing Android apps is eaaier than Apple apps, but also Apple want money etc so tracability is more of a concern.

Over all the ROI on general malware for Apple is less than on Google.

But… The problem Apple has is iOS is becoming more problematic and it’s not going as gracefully up the complexity curve as it could do.

This is making it look like Apple are not putting the effort in as observed just yesterday… What Apple will do to keep it’s “security” image is going to prove interesting over the next couple of years…

Clive Robinson September 14, 2023 10:58 AM

@ Bruce, ALL,

Re : The way of the world.

“This kind of thing is really scary.”

Hate to worry you all but this is just “a glimps of a frosty snow on an iceberg in the mist”.

As I’ve mentioned before the likes of “Smart Meters” especially those that use GSM mobile to link back can just by analysing the “power signiture” at your mains supply inlet tell what movie you are watching when you turn on the kettle or coffee machine, when you cook, wash your cloths, wash yourself even dry your hair and oh so much more.

As for your flat panel TV and kitchen appliances they will all “ET Phone Home” if they can. Even cloths irons have been found to have WiFi in them…

As for many other things like your “Home Security” they send of audio and video across state borders as do those “personal assistants” and other “smart devices”.

Then there is your IoT lightbulb, your robot vacuum cleaner, etc, etc, etc.

And people wonder why I have none of it in my home and have absolutly no intension of alowing any of it in…

Once I was seen as “paranoid”, now just “cautious”… all in less than a decade or two.

And “NO” I realy do not expect it to get any better or less scary…in fact I expect it to get worse, a lot lot worse over the next decade atleast.

yet another bruce September 14, 2023 12:02 PM

@Clive

tell what movie you are watching

Can you provide a citation? My local power utility has trouble reliably detecting when I charge my EV. Telling one movie from another sounds like a stretch. It is also not clear to me why GSM is worse for privacy than other data backhaul options.

Winter September 14, 2023 12:54 PM

@yet another bruce

Telling one movie from another sounds like a stretch.

They could do that in the past with water consumption from bathroom breakst.

But then only on a citywide scale.

Paul Suhler September 14, 2023 12:59 PM

My electric power provider tells me how much power is used by my electric water heater, and it’s always a nonzero amount.

Except that my water heater is gas, with no electric connection. Power analysis algorithm is wanting.

Sigh.

yet another bruce September 14, 2023 1:10 PM

@victor

Thank you!

I note that in this proof of concept, the researchers were able to detect which of only three movies was being viewed. The start time of the movie was known and power consumption profiles were captured using the actual televisions under test. I think the canonical wild exploit of this kind of thing would be Capita Business Services Limited finding scofflaws watching the BBC without a license. Provided that they are watching live and not time-shifted.

Morley September 14, 2023 3:33 PM

100 downloads in 9 months? I guess not many people download security apps from forum posts. Maybe it was a test run.

JonKnowsNothing September 14, 2023 6:03 PM

@Morley

re: 100 downloads in 9 months?

100 downloads are more than enough, maybe even 99 too many. All you need is the Target to download. 99 of them might just be the snail bait.

The Target is not always the Top Snail in on the brick.

===

  • A A Milne The Four Friends

James went on a journey with the goats new compass
And he reached the end of his brick.

Anonymous September 14, 2023 7:49 PM

@yet another bruce

\t Can you provide a citation? My local power utility has trouble reliably detecting when I charge my EV. Telling one movie from another sounds like a stretch

I friend of mine works for a major power supply company and was involved early in the days on the development of smart meters communications over the power grid. +- 15 years back he was telling me they could profile your energy consumption to the point of knowing what type of device you were using and how the company was thinking on monetizing on such insights.

Jose Diaz September 14, 2023 8:58 PM

Our information is always finding new ways to leak, meaning that we are the ones who expose ourselves to these kinds of attacks by trusting too much and thinking ourselves smarter than people who make a living out of phishing. I hope this will help us realize that we are always under attack and must be cautious, look twice, and confirm a third time before downloading or installing any kind of app.

PaulBart September 15, 2023 7:36 AM

“+- 15 years back he was telling me they could profile your energy consumption to the point of knowing what type of device you were using and how the company was thinking on monetizing on such insights.”

Interesting that companies in highly state regulated industries were able to roll this out in democracies. Meh, I guess that is what the voters wanted, since the state that they voted for chose to implement these policies.

Winter September 15, 2023 8:24 AM

@PaulBart

Interesting that companies in highly state regulated industries were able to roll this out in democracies.

If there is no law against it and no one complains, I do not see why they don’t. It is not that privacy law and conscience was that well developed +/-15 years ago.

As far as I know, eg, utility providers in the US can sell any data they can lay their hands on and this is actively encouraged by lawmakers under the doctrine that any data is the property of who collects it.

It is only recently that the idea that personal data is the property of the person was encoded in a law with some teeth (eg, the GDPR). And as far as I know, this idea is still wholy alien to American lawmakers.

JG5 September 15, 2023 9:27 AM

The discussion of smart meters reminded me that I offered some years ago to write up a concept that essentially is a low-pass filter comprised of a battery charger, a bank of lead-acid cells, and an inverter. That can be found here using Gluegle, but not DuckDuck:

https://www.schneier.com/blog/archives/2018/08/friday_squid_bl_639.html/#comment-325500

Essentially, an oversized UPS. At the time, I hadn’t connected the dots to the term microgrid, even though that is exactly what it is. The starting point was to filter out work interruptions, but it turns out to have some symmetry in cancelling or at least attenuating the flow of outbound information.

Fast forward to today, when 370-watt solar panels are $150 +/-, and iron-air batteries will be mass produced shortly. See, for example:

Form Energy’s Virtual Lab Tour
Form Energy 210 subscribers
3.3K views | 6 months ago
https://www.youtube.com/watch?v=t1kmPNB9tn8

Much more recently, I stumbled into an advertisement for Stop Watt, which claims to reduce home energy consumption by 80 to 90% It is just another scam, but at least it provided a few minutes of entertainment. A device of that size could produce a meaningful amount of high-frequency noise that would mask some of the current draws in the house. I make no representation that Snopes is or is not owned by partisans who lie for money and/or power:

https://www.snopes.com/fact-check/stopwatt-elon-musk-tesla/

I saw some months ago a discussion aimed at open-source software for managing the flows of energy in such a system. As you might imagine, the flows of information in such a system are of great interest to the Tech Giants. The best that we can hope for is a profoundly dynamic balance of terror. I am willing to tolerate some inconveniences to reduce the flow of information to the liars, thieves, and murderers. In this case, the convenience is that my household is insulated from the problems on their grid. And I will be able to provide power at a significantly lower price.

Clive Robinson September 15, 2023 10:51 AM

@ PaulBart,

Re : Looking up history explains a lot.

“Interesting that companies in highly state regulated industries were able to roll this out in democracies.”

Easy because it was a byproduct of something the politicians wanted more.

If you go far enough back you will find variois US electrcity suppliers giving free “low energy light bulbs” to every customer and some even had a one for one swap policy.

Low energy light bulbs back then were around 6-12 times the price of consumer multipack 100W incandescent bulbs. Some people were buying them because,

1, They were 20,000hours not 1000.
2, They were around 1/8th the power.

Which ment the much higher price was offset in about a year of normal use.

Now most would think the energy companies would have been against this drop in income. But in many cases they were desperate for it to happen. For two reasons,

1, In some places the Gov payed for the bulbs and cost of delivery etc.
2, The electricity companies could not aford the grid local and backbone upgrades.

So the power saving enabled them to put the spend off for another few quarters cut more maintainance ets so at least keeping their costs down, profits up, and even make a little extra by fiddling the Gov Subs… So keeping share holders happy and their ludicrous bonuses rolling in.

To keep this rolling they came up with the various ludicrous “Smart Grid” ideas, if you remember all your household electronics would be legally mandated to have external override by the grid company, so they could turn you water heaters, AC etc down, oh and turn your freezer from **** to *** or ** which means everything would use 50% or less “real power”.

But unbeknown to consumers whilst “real power” they have to generate goes down, they can fiddle the price back up by charging for “apparent power” in the “Smart Meter” remotely.

Anyone who has passed their electrical fitter / HVAC qualifications can tell you the difference –ask about “Power Factor”– and how you can be charged for power you are not actually using. Worse if you generate excess solar energy and put it into the grid as a lot of home solar systems do, smart meters can charge you for what you are giving to the utility company as though you are using it…

As the utility supplier smart meter fiddle is soft programed into the meter but the billable power is stored in EEROM/Flash, and unaproved changes to the wiring illegal with very stiff penalties, gathering evidence is not easy or risk free.

Also consider the “power” the Smart Grid gives utilities and others over you. They can turn your heating off in winter, your AC off in summer, turn off your hot water and ability to keep food safe, all without you being able to do anything about it. Oh and also stop your stuff “running off grid”… So you can see why the execs were drooling and having wet dreams over the Smart Grid, likewise, the various “Guard Labour” entities. As for the Politicians it ment that they could pretend they were “being green” when infact they were handing their energy buddies a way to extract money from you in yet another way…

On the trchnical side, to be able to do the “power factor” calculations in the smart meter it needs to be able to sense the Voltage and Current not just at peek but it’s phase as well. So for a 60Hz Grid supply sampling 600 times a second enables them to do the calculations at relatively low cost components wise in the meter.

Being able to sample the load on your mains supply at that rate can be highly informative. Especially with modern home electronics striving for high efficiency PSU’s the “power signiture” of the music speach and video brightness in your AV and most other equipment is relatively easy to see thus monitor.

The problem is where do you process this raw data. The Smart Meter won’t have enough processing power, so you would have to communicate the data. Doing it over the local grid wiring means insufficient bandwidth. However using GSM mobile phones even 2G gives you at least the same datarates as those high end modems we used to have built into our PC’s. So your mains power signiture could be sent anywhere in the world. Likewise the ability to “burn your home down” that Smart Grid tech can give…

There is however a real problem to doing this, which is getting such detailed information from “everyone at the same time”. Because it causes a telecomm backbone “bandwidth issue”. Which is realy the only reason why the idea of gathering it all and selling it to data brokers was dropped.

For now… Both 5G and 6G will have the available “spare capacity” to do such surveillance, at which time it’s likely such plans will go back on utility execs “to do lists”. It is after all from the neo-con view point “Free money left on the floor” all they have to do is pick it up and run with it…

But I’ve said all of this before as well as pointing out the lousy “security” the Smart Grid will have, such is the nature of such things. With the inevitable result that malware and ransomware developers and their buddies “Will be in there like Flynn” and “Filling their boots” at your and mines expense. After all if rapacious utility Corp Execs will be ripping you off every which way they can, why should not ransomware people on the excuse they are “Saving the Planet”…

Winter September 15, 2023 12:45 PM

@Clive

To keep this rolling they came up with the various ludicrous “Smart Grid” ideas, if you remember all your household electronics would be legally mandated to have external override by the grid company,

Smells too much of conspiracies. For one thing, smart meters are expensive.

Consider this. All our cars have to become electrical and all our heating using electrical heat pumps. All our roofs will get solar panels.

On the other hand, the Netherlands already has a shortage of high voltage lines for its grid. In some places companies have to wait years for a grid connection or an increase in capacity. There is a shortage of grid capacity for renewable energy.

Germany has comparable problems.

High power loads in and out the grid require “smart” up- and download points. As most households will need high capacity on and offload capacity, they will need smart meters.

That will happen in 1-2 decades. Which means the grid has to be adapted now.

That the US will mess this up in their usual manner [1] does not mean that will happen in the rest of the world too.

[1] From Texas Freeze to poisonous tapwater, nothing is too absurd in the US.

Huey Pilot September 15, 2023 1:20 PM

Subject: price of poker, and solar, is going up…
Date: Tue, 12 Sep 2023 00:00:00
From: The Huey Pilot
To: Innocent Bystander

Not all states have announced their plans for adopting the IEEE 1547-2018 Standard, but many of the biggest markets for solar PV (e.g., California, Texas, New York) either already have established dates or intend to by the end of 2023.

The most recent revision, published in 2018, incorporated “smart inverter” grid support features and interoperability testing to enable remote DER control by utilities.

Examples of inverter-specific functions under the IEEE 1547-2018 standard include:

■ Voltage regulation: Maintaining voltage level(s) within a specific range(s) through voltage injection or absorption

■ Frequency response: Modulating power output as a function of frequency

■ Active and reactive power support: Maintaining a steady power factor by sourcing or sinking reactive power

■ Local interoperability capability: Ensuring system-wide protection and control via sophisticated programmable functions and communications that will work even during a network failure

■ Ride-through capability: Withstanding abnormal grid conditions such as voltage or frequency disturbances

so the IEEE, national organizations, state regulators and utilities are collaborating to get more functionality from solar PV systems on peasants houses, and making peasants pay for the features by just writing them into the requirements.

http://digital.solarbuildermag.com/articles/smart-inverter-overview-explanation-of-ieee-1547-2018-and-ul-1741-sa-and-sb

Winter September 15, 2023 1:47 PM

@Huey

so the IEEE, national organizations, state regulators and utilities are collaborating to get more functionality from solar PV systems on peasants houses, and making peasants pay for the features by just writing them into the requirements.

Who else would have to pay than the users?

If it is paid out of taxes it is taxpayers=users. If it is the utilities, it is part of the power bill, ie, the user pays. If it is the price of the converter, it still is the user that pays.

In the Netherlands, we get the smart meters for free, but pay for them in the electricity cost (grid transport fees, power tax other some other label).

There are already several test projects to use EVs as grid storage to level off high and low solar and wind production. Smart meters are a must for such applications.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.