I mentioned to a friend today that I saw that he was on Signal, but he told me he'd never heard of it. So I messaged him on it, and the weirdest thing happened...
He replied to me, and said that he received my message on another app, called "Calls Chat". Thinking he was surely mistaken, I asked him to send me a screenshot. 
Confused AF as to how my messages sent from Signal were getting to this random app, I searched it up on the Play Store. "Call Chat Messenger" had over 10K downloads. Naturally, I proceeded to install it. play.google.com/store/apps/det…
Upon launching, it was obvious that this was a Signal clone. Even the 'Terms and Privacy Policy' still linked to the Signal website, and the account setup was exactly the same.
I proceeded with the setup. The one-time password came from the same Signal number where I received previous OTPs from.
It next asked for the app PIN from my previous registration. I entered dummy values, but it got rejected.
This made it clear that this app was talking to the Signal servers to validate this(!!!!)
This made it clear that this app was talking to the Signal servers to validate this(!!!!)
Launching the original Signal app now told me that my device was no longer registered as I'd used my number on a different device (or in this case, app)
It turns out the app developer is a 12 year old kid, who was actually in the news recently for "coding" this very app. He likely used something like AppGeyser to build this and I DON'T think for a second that the intention is to phish or scam anyone. keralakaumudi.com/en/news/mobile…
But what's left me confused is (and I may be a bit ignorant here), how can the Signal servers accept connections from a third party app to generate OTPs and access the chat servers? @fs0c131y @troyhunt
I've reported the app on the Play Store and notified Signal via email. As for how my friend had it, he'd seen the news article and downloaded the app a few months ago.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
