The attacker uses a patched version of Signal to be able to intercept requests and to block a get request to the attachment they have just created. At least it is my understanding.

That’s just to be able to use their APIs to get the location of the sender.

Example you used the normal Signal app without patch and sending me a message, and I have the patched version.

Just to remove certificate pinning, to be able to see the API traffic because of encryption.

I'm not sure how much if it makes any sense.