A fake version of the private messaging app Signal has found a way onto Google Play and appears to be linked to a Chinese spy operation, researchers claimed on Wednesday.
The hackers, dubbed by researchers at cybersecurity company ESET as GREF, also released a version on Samsung’s Galaxy Store. The main aim of the fake Signal, which was called Signal Plus Messenger and functioned the same as the legitimate version, is to spy on communications of the real app, according to ESET researcher Lukas Stefanko.
The standard version of Signal allows users to link the mobile app to their desktop or Apple iPad. The malicious Signal Plus Messenger abused that feature by automatically connecting the compromised device to the attacker’s Signal in the background, so all messages were passed onto their account, Stefanko told Forbes. That happens “without the user noticing anything or accepting any notification, it is all done in silence,” he said. According to Stefanko, who published a blog and a YouTube video on the machinations of the attack, this was the first documented case of spying on a victim’s Signal via secret “autolinking.”
While the attacks show how Chinese-linked hackers have found a way to get around security checks by two of the world’s biggest tech companies, it also marks an unprecedented attempt to snoop on Signal communications.