Hackers steal Signal, WhatsApp user data with fake Android chat app : technology

[–] [email protected] 70 points 2 years ago (4 children)

I have a hard time seeing how this app gets my Signal info, SMS is no longer supported in Signal.

[–] [email protected] 42 points 2 years ago

I suspect fear mongering as it likely DOES take screenshots and since it has the device infected, it grabs the time/position and other intelligence it can grab. I don’t believe for a second they actually hacked the Signal app itself.

[–] [email protected] 9 points 2 years ago

Yeah that claim seems fairly unsubstantiated by the rest of the article. It’s probably bullshit.

[–] [email protected] 8 points 2 years ago* (last edited 2 years ago) (2 children)

Wait it isn't? Are you telling me all the SMS I have received were sent into the pitch black abyss?

[–] [email protected] 14 points 2 years ago* (last edited 2 years ago)

https://support.signal.org/hc/en-us/articles/360007321171-Can-I-send-SMS-MMS-with-Signal-#:~:text=SMS%20is%20not%20secure%20or%20private%2C%20and%20that,anyone%20snooping%20on%20your%20traffic%20could%20read%20them.

SMS was supported back when I was on android, roughly a year ago, since it handled all of my texting (signal or standard) but it was already broken up in iOS at that point, and they were dropping support for SMS on android (announced October 2022).

[–] [email protected] 3 points 2 years ago

I lost SMS support this spring, Signal posted about this in October 2022. I'm on Android and PC.

[–] [email protected] 2 points 2 years ago (1 children)

You install the app, by doing so you give the app permisions.

[–] [email protected] -1 points 2 years ago

There is no system permission I'm aware of that will give other applications access to Signal which is an app made to be secure with at least a PIN code for accessing it.

[+] [email protected] 41 points 2 years ago* (last edited 2 years ago) (1 children)

[deleted]

[–] [email protected] 5 points 2 years ago

And give it accessibility permission, which comes with a big fat warning. Basically you need to tell Android "yes, install and run this random app I don't really need, and give it access to all my info".

[–] [email protected] 23 points 2 years ago (1 children)

Anything with the word 'safe' in it should be immediately distrusted.

[–] [email protected] 9 points 2 years ago

Probably why Google went from SafetyNet to Play Integrity. Maybe we should also start distrusting "integrity" as well, given how they're trying to push the Web Integrity crap.

[–] [email protected] 23 points 2 years ago

"Hackers".

[–] [email protected] 15 points 2 years ago (1 children)

The signal user data is only phone number and the date when the account was created iirc.

[–] [email protected] 5 points 2 years ago

The malware is running on the user's phone. There it has access to all of the data, including message contents. Doesn't matter how secure the server and message encryption are.

Signal's servers were not comprimised. And like you said that would only give them a minimal dataset.

[+] [email protected] 3 points 2 years ago (1 children)

[deleted]

[–] [email protected] 14 points 2 years ago (1 children)

Yeah but that wouldn't solve this issue? The malware stole data from the app on the users device, not from a server.

[–] [email protected] 2 points 2 years ago (2 children)

Thats technically possible?

[–] [email protected] 3 points 2 years ago

Oh my goodness.

[–] [email protected] 2 points 2 years ago

Did you read the article? Or even the summary. It states that the attack was an Android app names SafeChat that infected the phone and retrieved chat logs, etc.

[+] [email protected] -43 points 2 years ago (6 children)

As much as I love the decision to be able to sideload apps on iOS I fear that we’ll start seeing headlines like these.

[–] [email protected] 50 points 2 years ago (1 children)

What do you mean? Similar vulnerabilities/apps/phishing has been available on iOS since at least 2020.

[–] [email protected] 40 points 2 years ago

A user has to click a lot of buttons to make this work, android security is doing its job. If there's any failing on android security's part, it's consolidating permissions into accessibility services instead of breaking them out into something a user might get scared to click.

Then again, they did click accessibility services on a "secure messaging" app. They need to learn somehow. I just refuse to accept that the appropriate solution is not owning things you buy. There has to be a better way.

[–] [email protected] 13 points 2 years ago (2 children)

I always chuckled at my Android friends having to run AV software on their phones, but then we got Pegasus and it got harder to be smug… then the shenanigans from “legitimate” devs like Über and Tencent. It doesn’t seem like blindly trusting Apple was a great idea anymore.

[–] [email protected] 42 points 2 years ago (1 children)

It never was. Read Apple's true privacy agreement on their website. It's the one you agree to but don't read when you boot up your shiny new mac or iphone for the first time. They are no different from Microsoft or Google, they are just the best at cultivating an image.

[–] [email protected] 4 points 2 years ago (2 children)

Prepare yourself for the downvote train approaching at near lightspeed. People cannot fathom how a for profit corporation might do anything they have to to increase profit.

[–] [email protected] 12 points 2 years ago

It's OK. Downvotes don't matter too badly here.

I'd say Apple being a lifestyle brand means the users aren't going to have privacy as a primary concern is the real reason behind this. And it's hard to get out of the walled garden once you're in.

[–] [email protected] 6 points 2 years ago

Fear not we aren't at the apple subreddit.

[–] [email protected] 13 points 2 years ago (1 children)

Android friends having to run AV software on their phones

which does nothing, because even IF the "antivirus" detects malware, it has no privileges necessary to remove it.

[–] [email protected] 2 points 2 years ago (1 children)

Still a good first step… I always figured Android AV was more for people who already had a rooted phone?

[–] [email protected] 3 points 2 years ago

Anti virus software on a smartphone makes as much sense as on a PC. Eg none at all. You just increase the attack surface for some warm fuzzy feelings.

[–] [email protected] 5 points 2 years ago (1 children)

I won’t be sideloading anything onto my device that I can’t build myself from opensource and understand what it’s doing.

The risk is too damn high otherwise.

[–] [email protected] 4 points 2 years ago

This is just good practice. You don't have to trust anyone's word that what you're installing is what they say it is when you can trust your own eyes.

Technology

Our Rules

Approved Bots