Deceptive Downloads: The Silent Menace of Trojanized Messaging Apps

In today’s digital age, messaging apps have become an integral part of our daily communication. From personal chats to professional discussions, these platforms offer convenience and connectivity. However, a spate of recent incidents has unveiled a concerning trend: the rise of trojanized messaging apps that deliver spyware. 

Last year, Meta disclosed that the hacker group Bitter APT had embedded their Dracarys malware into fake versions of Signal, Telegram and Whatsapp. Corrata has also encountered similar malware in the wild. And more recently, researchers at ESET discovered trojanized versions of Signal and Telegram on Google Play and in the Samsung Galaxy Store. 

What’s Happened?

These malicious apps, named ‘Signal Plus Messenger’ and ‘FlyGram’, were embedded with the BadBazaar spyware and were uploaded by a Chinese APT hacking group known as GREF. Initially, this malware targeted ethnic minorities in China, but recent data indicates that users in countries including Ukraine, Poland, the Netherlands, Spain, Portugal, Germany, Hong Kong, and the US are now being targeted.

The spyware’s capabilities are extensive, ranging from tracking device locations, stealing call logs, SMS, recording phone calls, to exfiltrating contact lists and files. The malicious versions of these apps have novel features that allow attackers to link victims’ Signal accounts to their own devices, enabling them to monitor all future messages. Both malicious apps (FlyGram and Signal Plus Messenger) have been removed from Google Play and Samsung Galaxy Store but are still available from 3rd party sites. 

The Hidden Threat: Trojanized Messaging Apps on the Rise

As you can see above, hackers are successfully deceiving users into downloading counterfeit versions of popular messaging apps. These imposter apps have been ‘trojanized’, meaning they contain concealed malware within what appears to be a safe application. At first glance, these apps might seem appealing due to additional features not present in the standard versions. However, the hidden malware can pilfer a broad spectrum of data, including the messages themselves.

This type of attack is possible because of a key aspect of internet applications: the application developer may control the back-end but ultimately cannot fully control the front-end application.  This is true whether the user is accessing the application via a browser or a mobile app.  

The end-user has control over the software running locally (i.e. the mobile app or the browser). This is fine if the app is the legitimate version, but if the user has downloaded a fake version, the owner of the legitimate service (e.g. WhatsApp) has no way of knowing this. 

Why is this Alarming?

Given the sensitive nature of information shared over these messaging platforms, the risks associated with using a malicious version are immense. This concern is magnified when you consider that employees often use these apps for work-related communication.

Attackers typically take the source code of legitimate apps like Signal and layer on additional features that serve dual purposes:

1. Attracting users with enhanced features.
2. Granting malicious capabilities to the hacker.

With this malicious layer, attackers can:

• Link other devices, maintaining persistent access even after the malicious app’s removal.
• Leak data from the account.
• Perform on-device malicious actions, such as accessing files, location, and messages.
• Often grant extensive permissions to legitimate apps. For instance, WhatsApp requires access to photos, videos, in-chat media, and user location. Malware often manipulates users into granting these permissions, especially when the app appears legitimate.

The Bigger Picture

While these attacks are often targeted at consumer applications such as the ones named above, there’s no barrier preventing business tools like Slack, Teams, or Outlook from being trojanized similarly. Signing into these compromised apps could grant attackers access to company data, credentials, and authentication tokens – see here. The “Adversary” in this case is not traffic-level eavesdropping but on-device eavesdropping.

Mobile users are advised to always take care to download only the official versions of apps and to steer clear of third-party versions that claim to offer enhanced features, even if they are available on official app stores.

How to protect your organization

Robust defense against such threats consists of three elements:

• Firstly, make sure that your mobiles are prevented from accessing websites which host malware. 
• Secondly, ensure that your employees’ devices are continuously scanned for potentially harmful applications and 
• Thirdly, monitor traffic to and from employee devices to detect communications with Command and Control (C2) servers and other suspicious traffic.

The simplest way to provide these protections is to deploy a mobile threat defense solution to your employee devices. The right solution will provide the necessary protection while being easy to deploy and manage and avoiding the need to collect employee personal information.