Beware fake encrypted messenger apps

It’s the Digital Security Training team at?Freedom?of the?Press?Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe on LinkedIn?here?or through our website?here.

In the news

A security research group found that fraudulent versions of messaging apps Signal and Telegram have been available for years on the official Google Play and Samsung Galaxy stores. Renamed as Signal Plus Messenger and FlyGram, these apps are designed to distribute BadBazaar malware, which steals information about the infected device and sensitive information from victims, including contact lists, call records, and in some cases, the content of users’ messages. In recent years, this particular strain of malware has been used extensively to target Uyghur minorities in China by impersonating dozens of apps. Following ESET’s discovery, Google and Samsung removed the fake apps. Read more here.

What you can do

• When it comes to weeding out fraudulent software, app stores have a long way to go. In the meantime, if you’re not sure whether you’re finding the app you’re looking for, consider looking outside of the app store. Search on your favorite search engine for the app you want to use and go directly to the official website. Typically, it will have a download page with the legitimate app store link for both Android and iPhone.
• Because every app adds to your “attack surface” — exposure to potential security vulnerabilities — keeping your device up to date and deleting unused apps is always a good move. Check out our guide to mobile security to learn more.
• As far as encrypted messengers go, Telegram doesn’t enable end-to-end encryption by default. We recommend Signal when possible. Read our guide to getting started with Signal and for those who already use it, learn about locking down Signal.?

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,

Martin

–

Martin Shelton

Principal Researcher

Freedom of the Press Foundation