Google yanks sketchy iMessage clone for Android from app store

People who probed the app's innards suspected it was harvesting Apple ID credentials

An app that purportedly spoofed a Mac so that Android smartphone and tablet owners could send and receive text-like messages through Apple's iMessage service disappeared today from the Google Play app store.

Google confirmed that it yanked the app for violating its store policies.

Dubbed "iMessage Chat," the app came under quick fire Monday from other app developers who said the program may have been harvesting Apple ID usernames and passwords by passing packets through a China-based server.

The app first appeared on Google Play on Sept. 12 and was available as late as Monday. By today, however, it had been scrubbed from the app store.

iMessage is Apple's proprietary technology that is embedded in the Message apps for iOS 5 and later and OS X Mountain Lion. When users text another iOS device or a Mac, they sidestep their mobile carrier's traditional SMS (short message service), avoiding texting charges.

The Android app was designed to let users piggyback on Apple's iMessage service to send and receive texts.

But concerns about the implications quickly surfaced.

"iMessage for Android app has code to download APKs in the background? TOTALLY SAFE. Not rootkit-ing your phone or anything? :D," tweeted Steve Troughton-Smith, an app developer with High Caffeine Content, on Monday.

The term "APK" in Troughton-Smith's tweet referred to the file format used by Android to install apps and other code on the operating system.

Others pointed out that users of the app were required to log in using their Apple ID username and password, and that the developer may have simply built the program to collect those valuable credentials, which are used to access iOS devices remotely for data wiping, purchasing content on iTunes and buying goods, including iPhones and Macs, through Apple's online store.

Jay Freeman, who goes by the online nickname "saurik," dug inside the app and tracked the packets it sent and received. Freeman is best known as the developer of Cydia, the open-source application installer that acts as an App Store substitute for jailbroken iPhones.

He found that iMessage Chat for Android essentially inserted itself into the middle of the normal back-and-forth between a user and Apple's iMessage servers. In a thread on Hacker News, Freeman spelled out his findings.

"I believe that this application actually does connect to Apple's servers from the phone, but it doesn't then interpret the protocol on the device," Freeman wrote on the thread. "Instead, it ferries the data to the third-party developer's server, parses everything remotely, figures out what to do with the data, and sends everything back to the client decoded along with responses to send back to Apple."

Commenters on Freeman's Google+ page, where he also discussed iMessage Chat, pointed out the danger of trusting a third-party app with an Apple ID. "Seems to be a quick way to get pwnd in some way or another," said Hugo Visser, a Dutch developer of Android apps.

Commenters also noted that the China-based server was running SQL Server, which was accessible from the Internet, posing yet another threat to anyone who used iMessage Chat. Even if the developer was on the up-and-up, and wasn't harvesting Apple IDs, the server could be hacked by others, who would then be able to sweep up the credentials.

Someone who identified themselves as "Hu LuWa" -- the name used for the developer's website, according to Google Play -- dropped in on Freeman's Google+ page to post one comment, but did not answer any of the several questions others posed.

The developer's website -- -- was offline Tuesday. A message left on a Google+ page assigned to Hu LuWa was not returned.

A Google spokeswoman confirmed the company had pulled the app. "We remove apps from Google Play that violate our policies," she wrote in an email reply to questions.

This article, Google yanks sketchy iMessage clone for Android from app store, was originally published at

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingAppleGooglesecurityapplication securityAccess control and authenticationmobile apps

More about AppleApple.GoogleMacs

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place