One of the biggest cyber scandals of the year directly involves the U.S. government. In early May, investigative media outlet 404 Media revealed that certain U.S. federal agencies, including U.S. Customs and Border Protection, were using a cloned and modified version of the Signal app.
This app, provided by Israeli company TeleMessage, was adopted by the U.S. government because it allows archiving of members’ conversations, a practice legally required in federal institutions.
However, by transferring conversations to a third-party server for archiving, the very functioning of this clone undermines the end-to-end encryption that is central to Signal’s identity and security.
The clone in question, called TM SGNL, was reportedly hacked within minutes. A few weeks later, 410 GB of data from the breach was published online.
The clone developed by TeleMessage is built on the same architecture as the official Signal app: both versions are interoperable and can communicate freely.
Unlike the original version, the clone systematically stores unencrypted messages on a third-party server operated by TeleMessage. As a result, anyone communicating with a user of the clone unknowingly has their messages exfiltrated—even if they are using the official Signal app. This interoperability makes it possible to compromise conversations that were initially launched from a secure environment.
Moreover, the issue goes beyond Signal: TeleMessage also offers modified versions of other popular apps such as WhatsApp, Telegram, and WeChat, all connected to the same compromised data collection and archiving infrastructure.
The breach stemmed from a series of basic technical errors. TeleMessage developers had left the complete Android and iOS source code archives freely accessible on their own website, including a .git folder containing the entire development history and hardcoded credentials. This public exposure allowed multiple security researchers to immediately analyze the app and uncover critical vulnerabilities.
In just twenty minutes, one of them demonstrated the ability to intercept conversations proving that TeleMessage had the technical means to access messages in plain text, which directly contradicted its advertised security claims. The hack required no sophisticated intrusion or zero-day exploit, only public access to source code and poor development practices.
The hacker gained access to:
What happened with the Signal clone isn’t a rare bug or one-off mistake, it illustrates a widespread practice and deep-rooted risks in the app ecosystem.
Cloning and modifying apps is extremely common, often done without any real analysis of the security impact. Sometimes apps are altered to add business features (as in this case), but in other situations, they are modified for fraudulent or malicious purposes such as bypassing payment systems, injecting spyware, or silently harvesting personal data.
Even without malicious intent, such modifications weaken or void the native security mechanisms of original applications.
This scandal highlights a crucial truth: no app is secure by default, even if it is popular, open source, or appears to be legitimate.
This principle applies to all usage contexts:
Developing and publishing apps
Whether an app is business-specific or public-facing, it’s essential to detect risks early in development and maintain checks throughout its lifecycle. The Yagaan AppSec suite powered by Pradeo offers AST (Application Security Testing) and MAST (Mobile Application Security Testing) solutions to analyze source or binary code of mobile and web apps, identify security flaws (vulnerabilities, data leaks...), and fix them easily.