dev Profile picture
12 Jan, 10 tweets, 4 min read
I mentioned to a friend today that I saw that he was on Signal, but he told me he'd never heard of it. So I messaged him on it, and the weirdest thing happened...
He replied to me, and said that he received my message on another app, called "Calls Chat". Thinking he was surely mistaken, I asked him to send me a screenshot.
Confused AF as to how my messages sent from Signal were getting to this random app, I searched it up on the Play Store. "Call Chat Messenger" had over 10K downloads. Naturally, I proceeded to install it. play.google.com/store/apps/det…
Upon launching, it was obvious that this was a Signal clone. Even the 'Terms and Privacy Policy' still linked to the Signal website, and the account setup was exactly the same.
I proceeded with the setup. The one-time password came from the same Signal number where I received previous OTPs from.
It next asked for the app PIN from my previous registration. I entered dummy values, but it got rejected.

This made it clear that this app was talking to the Signal servers to validate this(!!!!)
Launching the original Signal app now told me that my device was no longer registered as I'd used my number on a different device (or in this case, app)
It turns out the app developer is a 12 year old kid, who was actually in the news recently for "coding" this very app. He likely used something like AppGeyser to build this and I DON'T think for a second that the intention is to phish or scam anyone. keralakaumudi.com/en/news/mobile…
But what's left me confused is (and I may be a bit ignorant here), how can the Signal servers accept connections from a third party app to generate OTPs and access the chat servers? @fs0c131y @troyhunt
I've reported the app on the Play Store and notified Signal via email. As for how my friend had it, he'd seen the news article and downloaded the app a few months ago.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with dev

dev Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!