There are images from the user's screen, with him on the photograph using the application, showing the chats from the app reproduced verbatim (forwarded) to a GMail account.
The article states that "at least one line of code must've been added" to support such a feature, which I believe to be an honest and accurate assessment.
But it is unknown if the current version was modified to do so. As the name "TM SGNL" looks shortened to fit after hex editing the app. This can all have been achieved by library overloads etc.
> One line
This can also be a single JMP and RTS statement, to a function that makes a screenshot, or something that takes the message.
No technical analysis of a working application has been performed. Just speculation of how this could work. I am not saying Micah is wrong. I just hoped more was available, so an actual disassemble was possible.
I would speculate that they did not recompile from source, but used the same process as used by the other applications. Intrusive by modification of the code execution, by injection, etc. That is speculation from my end, but reuses similar approaches across all of their applications.
The article states that "at least one line of code must've been added" to support such a feature, which I believe to be an honest and accurate assessment.