Fake iMessage app for Android spoofs Mac mini, routes chats through China [u]

Posted:
in iPhone edited July 2014
A new messaging app aping the iMessage name has shown up on Google's Play Store, but Android device owners may want to think twice before downloading the unsanctioned app, as it doesn't seem to work as advertised and may be doing a bit more than it lets on.

Update: The app in question has subsequently been pulled from the Google Play store.



The new app is called iMessage Chat, and its developer describes its "primary purposes" as "[making] sure everyone should be able to chat via iMessage on Android for free." The app description is not shy stating a similarity to Apple's iOS- and OS X-based iMessage platform, claiming that "iMessage, the popular instant messaging service known from the iPhone, iPad and Macs is now also available for Android devices!"

In addition to the iMessage name, the app copies the icon from Apple's own iOS 7 Messages app. It also largely reproduces the pre-iOS 7 aesthetic of Apple apps, with a palette heavy in blues and grays, as well as a bulging effect on buttons and other elements.

The service, of course, has no connection with Apple, iOS, or OS X, and in testing the feature The Verge found that it will not even send messages to Apple devices. Instead, it so far only sends messages between Android apps that are running the app.

Developer Adam Bell noted on his Twitter account that iMessage on Android appears to be spoofing iMessage requests by passing itself off as a Mac mini. Bell's tests, though, found that the app was working between test accounts, though he noted that "I 100% do not trust that apk."

Bell's concerns are mirrored by others in the developer community. Jay Freeman, better known as Saurik, delved into the app's code, finding that "the client does directly connect to Apple, but the data is all processed on the developer's server in China. This not only means that Apple can't just block them by IP address, but that also that they get to keep the secret sauce on their servers."

In addition to this third-party routing, some portion of the code in iMessages for Android is apparently hidden or obfuscated. An apparent developer of the app has attempted to allay fears on his Twitter account, saying that the obfuscation is "because i worry sombody use it to send Ads" (sic).

Adding to developer skepticism surrounding the app is the fact that iMessages' developer apparently asks for user login credentials when they request help with the service. Aside from the credentialing issue and the data routing issue, no one in the developer community or the review section on the app's page appears to be complaining of any other egregious security issues or violations.

The app currently has an average rating of 2.9, with 148 5-star reviews and 187 1-star reviews. It has been installed by between 10,000 and 50,000 users.
«1

Comments

  • Reply 1 of 25
    'It has been installed by between 10,000 and 50,000 users.'
    LOL! If Fakeroids are really interested in it, why bother with Android then? Wannabe cool, huh?
  • Reply 2 of 25

    This app is very dangerous.

     

    It has permissions to install apk on the background and everything is stored on some servers, in China.

  • Reply 3 of 25
    I think we are entering the age where the Fandroids would say 'So what? We got iMessage too!'
  • Reply 4 of 25
    john.bjohn.b Posts: 2,716member

    What could go wrong?  <img class=" src="http://forums-files.appleinsider.com/images/smilies//lol.gif" />

  • Reply 5 of 25

    Looks like malware is the category that Android continues to beat iOS at year-over-year.

  • Reply 6 of 25

    Lawsuit and jail time in three… two…

  • Reply 7 of 25

    I'm thinking this will be pulled eventually...

  • Reply 8 of 25
    Quote:

    Originally Posted by macxpress View Post

     

    I'm thinking this will be pulled eventually...


     

    On what basis? Copyright or trademark infringement? That it is unsavory and sleazy? Tell me, what part of the Android values system does this violate. As near as I can tell, there is no Android values system. 

  • Reply 9 of 25

    I advise all Fandroids to immediately install this app, I hear that it's awesome, and I can highly recommend it.

     

    It'll fit right in with all of the other malware found on Android.

     

    And ignorant Fandroids are talking about Apple's Touch ID? Hell, every Android device itself is a huge security threat, thanks in no small part to their malware infested store.

     

    I also read that Blackberry couldn't release BBM (and had to delay it) because there was a crapload of fake BBM's on the Google store? 

     

    If I was looking for the least secure platform around, running the shittiest and most lag ridden OS around, running on huge, ridiculous looking clown phones made for posers and poor people, I'd certainly choose Android without any doubt.

  • Reply 10 of 25
    Google might pull it. Not for the copyright or security issues but for the lack of google ads.
  • Reply 11 of 25
    That's open source for ya!
  • Reply 12 of 25
    gatorguygatorguy Posts: 19,322member
    So it does connect to Apple servers?? Strange stuff and certainly looks unsavory.

    EDIT: Reviewers say it collects Apple ID's?
    "[B]The contacts import only imports phone numbers of people who have iPhones not the rest. [/B]So you can't use it as your main message app. Plus I can't seem to message with people who have iPods only. Plus I live in Canada and no US iphones contacts imported. Also I think it depends how the iPhone user setup their iMessage."

    Yup, needs to go!

    EDIT2: Appears Google is blocking any further installs? Apparently attempts to download it get "This app is incompatible with all of your devices".

    Just tried it for myself on a Nexus 7 and that's what I see too.
  • Reply 13 of 25

    HAHA! And what was that I recently saw Fandroids posting that Google doesn't allow apps like this into Google Play, and that if they do make it in, they are immediately pulled? 10,000-50,000 downloads already and Google has yet to lift a finger?

     

    I guess all those reports by anti-virus companies and security agencies warning of the malware threats on Android were 100% justified!

  • Reply 14 of 25
    Don't see anything wrong with this at all. Their server is a mac which has access to the OS X Messaging framework, which they must have used to register multiple accounts. So the android app sends the message to their OS X server which then sends it on to Apple. Similarly when a message is received by OS X it forwards it on to the users device. The only risk would be if they are storing the login information and not just the sign on tokens but thats the same worry with any 3rd party multi protocol messaging app and people were using Adium for years without a care.
  • Reply 15 of 25
    Quote:

    Originally Posted by indiekiduk View Post



    Don't see anything wrong with this at all. Their server is a mac which has access to the OS X Messaging framework, which they must have used to register multiple accounts. So the android app sends the message to their OS X server which then sends it on to Apple. Similarly when a message is received by OS X it forwards it on to the users device. The only risk would be if they are storing the login information and not just the sign on tokens but thats the same worry with any 3rd party multi protocol messaging app and people were using Adium for years without a care.

    Are you serious, or just trolling? Did you not read the tidbit about the app having permissions to install new .apk binaries in the background without user consent? This is straight-up MALWARE/VIRUS material, and you're condoning it?

     

    Fine, you're Android, the land of the clueless, enjoy the app, and all the trash it sideloads onto your device.

  • Reply 16 of 25

    Plenty of iOS 7 envy among Android users.  But not to worry.

    Plenty of fake iOS 7 apps and wallpapers on Google Play:

     

    https://play.google.com/store/search?q=ios+7&c=apps

  • Reply 17 of 25

    Its officially been pulled from the Google Play Store

     

    https://play.google.com/store/apps/details?id=com.huluwa.imessage

  • Reply 18 of 25
    Well hey, Android fanboys enjoy their not so restricted OS and find their peepee pics on some Chinese server...lol.
  • Reply 19 of 25
    sflocalsflocal Posts: 4,289member
    Quote:
    Originally Posted by Apple ][ View Post

     

    I advise all Fandroids to immediately install this app, I hear that it's awesome, and I can highly recommend it.

     

    It'll fit right in with all of the other malware found on Android.

     

    And ignorant Fandroids are talking about Apple's Touch ID? Hell, every Android device itself is a huge security threat, thanks in no small part to their malware infested store.

     

    I also read that Blackberry couldn't release BBM (and had to delay it) because there was a crapload of fake BBM's on the Google store? 

     

    If I was looking for the least secure platform around, running the shittiest and most lag ridden OS around, running on huge, ridiculous looking clown phones made for posers and poor people, I'd certainly choose Android without any doubt.


     

    I think it's great that you finally saw the light and endorse Android for all the wonderful "open" things it allows the user - and stealthy developers to do... I especially love the picture of a shitcan used as the logo.  It seems fitting for such a well-received OS. ;)

  • Reply 20 of 25
    Quote:

    Originally Posted by Mac Voyer View Post

     

     

    On what basis? Copyright or trademark infringement? That it is unsavory and sleazy? Tell me, what part of the Android values system does this violate. As near as I can tell, there is no Android values system. 


     

    Are you joking?  IMESSAGE is a registered trademark of Apple, Inc.  No one can sell a product in that space by that name.

     

    At least make an attempt before posting. Less than 5 seconds (1 easy search) found this, with a picture of the certificate and everything:

      http://www.patentlyapple.com/patently-apple/2012/11/apples-imessage-is-now-a-registered-trademark.html

Sign In or Register to comment.