2023: Fake copies of Telegram with a built-in virus hit the official Google and Samsung app stores. They are downloaded by users around the world
On August 30, 2023, Eset, a company specializing in information security issues, announced that fake Telegram and Signal applications with built-in spyware are distributed through the official Google Play and Samsung Galaxy Stores, as well as specialized websites. Dangerous programs were downloaded by thousands of users around the world.
Fake versions, in addition to the standard capabilities of the applications of these messengers, have malicious code added by attackers. Malwares received the names FlyGram and Signal Plus Messenger: the first is distributed from July 2020, the second - from July 2022. The investigation showed that fake applications were downloaded by users in, Australia,, Brazil,, Denmark,, Democratic Republic of the Congo,, Germany,, Hong Kong,, Hungary,,,,,,, etc To Lithuania Netherlands To Poland. Portugal Singapore Spain To Ukraine USA Yemen
Malicious code from the BadBazaar family was hidden in fake Signal and Telegram programs, which have all the usual functionality, and espionage takes place in the background, says Lukasz Stefanko, an ESET researcher. |
In the case of the fake Telegram application with the malicious FlyGram code, the victim must log in, as required by the official platform. Even before the connection is complete, the malware begins to exchange data with the command server and BadBazaar is able to intercept confidential information from the device. The attacker's proxy server can register some metadata, but is not able to decrypt messages exchanged in Telegram itself.
In turn, in Signal Plus Messenger, after logging in, malicious code can spy on messages by unauthorized use of the Related Devices function. This is done by automatically connecting the compromised gadget to the attacker's system. This method of espionage, as noted, is unique, since ESET researchers have not previously recorded the use of the corresponding function by cybercriminals.[1]