Most Telegram and Signal Mods Are Spyware, and This Is How You Spot Them
Story by Damir Mujezinovi, MUO, 11/26/23
Signal and Telegram are two of the world’s most popular secure messaging apps; they are committed to safeguarding user privacy, are easy to use, and are packed with cool features.
But people always want more from their apps. A rise in unregulated Signal and Telegram app mods with more features has captured a decent number of users, which cybercriminals exploit to deliver malware and more.
What Are App Mods?
App mods are not an inherently sinister idea. Software is usually modified by tech enthusiasts, third-party developers, and fans. Or rather, by people who believe the basic version of the app either lacks certain functionalities or has unnecessary features that hinder its performance.
Some software companies dislike the concept and do their best to crack down on modded versions of their products. However, others are not opposed to it and encourage developers to come up with their own clients or modified versions of the same app.
How Does Spyware in Telegram and Signal Clones Work?
Here’s where it gets sinister: cybercriminals realized there’s a market for app mods and exploit this to distribute malware. That’s exactly what has been happening with certain Telegram clones, as discovered by the cybersecurity firm Kaspersky, which published its findings in September 2023. ESET, meanwhile, found in August 2023 that threat actors are also creating fake Signal mods to spy on unsuspecting users.
Fake Telegram mods appeared on Google Play as Traditional Chinese, Uyghur, and Simplified Chinese app versions. The malicious developer made a real effort to appear convincing, using images similar to the ones Telegram uses on its official channels, while app descriptions were written in the aforementioned languages. The mod was advertised as a faster, lighter version of Telegram.
In short, this seemed like a perfectly legitimate mod, similar to the mods Telegram itself endorses and encourages developers to create. But there was a significant difference: the fake Telegram app had radically different code, allowing its creators to spy on anyone who downloads and uses it. Those who made the mistake of installing this mod had their contacts, messages, files, names, and phone numbers exposed. All this information was sent to the threat actor as people used the app.
With Signal, the threat actor had a slightly different approach. They designed a mod called Signal Plus Messenger and created a fake website to seem more legitimate. The malware found in the fake Signal mod was arguably more dangerous than in the fake Telegram app, as it allowed its creators to log in to the target’s Signal account.
Both mods can be classified as spyware, a type of malware designed to gather information about the target without their knowledge or consent.
ESET and Kaspersky believe the same hacking group, GREF, was behind both mods, along with several other malicious apps. The group reportedly has ties to the Chinese government and typically distributes malicious code that has been identified as BadBazaar.
Why Do These Telegram and Signal Apps Include Spyware?
Why are they distributing these malicious mods? According to the ESET report, one of the main reasons is to spy on ethnic minorities in China.
The fake apps were later removed from the Google Play Store and Samsung Galaxy Store, but the damage had already been done. It’s safe to assume they were downloaded by thousands of people (worldwide, not just in China) whose private data was exposed and likely in the hands of the Chinese government.
Granted, there are other scammers distributing spyware-ridden mods, most financially-motivated. The real question is, how did these malicious apps appear in two large, reputable app stores in the first place? Don’t these stores have moderators whose job is to identify malicious code?
Google’s July Trends Report [PDF] offered an explanation, stating its researchers discovered threat actors bypassing security controls through versioning. This means they initially create perfectly legitimate mods and then later inject malware via an update. Obviously, all updates should also be analyzed by Google prior to approval, but the company is evidently struggling to rid its app store of malware.
How to Stay Safe From Fake Signal and Telegram Apps
That these particular Signal and Telegram mods are no longer available on the Google Play Store and Samsung Galaxy Store doesn’t mean much, since it’s more than likely they will reappear in some form. Even if they don’t, other fake mods will take their place.
To stay safe, you need to know how to differentiate between real and fake apps, legitimate mods, and those that contain malware.
1. Research the Developer
Prior to downloading a modded app, do some research about the people behind it. Are they legit? Who are they? Are their activities endorsed by the original developer?
2. Check Ratings and Reviews
It’s always a good idea to check what other people are saying and look at the ratings and reviews. This is not a bulletproof strategy, but it can still help you determine whether the mod you want to download is safe.
3. Avoid Third-Party App Stores
As a general rule of thumb, you should not download software from third-party app stores or random websites. The Google Play Store may have issues, but it also has certain protections in place and is a much safer option. With that said, there are a few reputable sites for safe APK downloads.
4. Review App Permissions
Apps like Signal and Telegram revolve around privacy, and they will never ask for unusual permissions. However, a malicious modded app might. To check if a suspicious app is asking for unusual permissions, navigate to Settings > Apps, locate the app in question, and tap it. Alternatively, long-press the app on your home screen and select App Info > Permissions. Due to differences in how Android works across different devices, the menu names and processes may vary slightly, but the process will be similar.
5. Use Security Software
Even if you make the mistake of downloading a spyware-infected app mod, security software might be able to protect you. There are several free antivirus apps for Android that will get the job done.
Be Careful With Modded Apps
Modded apps allow users to experience software in a novel way, but they can also pose a security risk. This doesn’t mean you should avoid modified versions of popular apps entirely, but you must take extra precautions.
Signal and Telegram are miles ahead of other messaging apps regarding security and privacy. For the average person, they’re good enough as they are.