Thousands of Users Unknowingly Joined Signal Because of 12-Year-Old’s App

Signal, an encrypted messaging app, has exploded in popularity recently, becoming the most downloaded free app on both the Google Play Store and Apple’s App Store. We can’t say for certain why, but Elon Musk recently recommended it to his 42.2 million followers on Twitter. It might be that some users are fleeing the Facebook-owned WhatsApp after some recent privacy policy changes, or Trump supporters who can no longer use Twitter and Parler.

These are all plausible explanations, but at least 10,000 Signal users can be attributed to a 12-year-old kid in India who created a somewhat popular clone of the encrypted chat app.

Dev Sharma, a Signal user from Melbourne, Australia, found the Signal clone when he encountered an unusual thing: Signal displayed a pop-up showing that their friend had just joined the app. Sharma messaged their friend, but the friend had never even heard of Signal, despite apparently using the app. The friend had downloaded a different app called “Calls Chat,” according to a tweet from Dev.

It turned out, Calls Chat is actually a clone of Signal and lets users communicate with people on the legitimate Signal app.

The app may have been harmless in this instance, but its existence and thousands of downloads shows how it can be relatively easy for someone to take the open source code of Signal and repurpose it for their own means, potentially misleading users about what they’re actually downloading in the process.

“I didn’t know I was creating a clone of Signal, in fact I didn’t even know such an app existed,” Dheeraj, the boy who made the clone, told Motherboard in a phone call.

Do you know any other apps violating the Apple App Store or Google Play Store policies? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Signal did not respond to a request for comment. But Moxie Marlinspike, Signal’s CEO and co-founder, said in a tweet that these sorts of clones “happen a lot unfortunately.”

“Signal is OSS [open source software], so people will take the app, change the name and make the fonts Papyrus or something, put ads in it, then submit it to the Play Store,” he added. “It’s just a low-cost (for them) way for [people to] deliver ads/trackers/etc in the form of an ‘app.'”

Dheeraj, in this case, just wanted to make an app during a COVID-related lockdown.

“I had learnt the basics of coding in school, but when I found myself with so much free time in the lockdown, I decided to explore my interest in coding apps. I got myself a computer and watched several YouTube videos to learn more about the software. I’ve been using a phone since I was in the fourth grade, so I’ve always wanted to make something for phones,” he told Motherboard.

“Initially, my plan was to make an Indian made version of TikTok so people wouldn’t have to use the Chinese version. But my experimentation and trials led me [to] creating a messaging app, Call Chat Messenger,” he added. Last year, India banned nearly 60 Chinese-made apps, including TikTok and WeChat.

The Google Play Store bars developers from impersonating other apps or making others that are deceptive, however. Google told Motherboard on Wednesday that the chat app is no longer available on the Play Store.

Sneha Nair and Shamani Joshi contributed reporting.

Subscribe to our cybersecurity podcast CYBER, here.

This post has been read 26 times!

0 0 vote
Article Rating
Like
Like Love Haha Wow Sad Angry
guest
Not Optional
Optional
0 Comments
Inline Feedbacks
View all comments