ESET researchers have uncovered two active espionage campaigns targeting Android users, attributing them to the China-aligned APT group GREF. Operating under the radar since July 2020 and July 2022, these campaigns distributed Android BadBazaar espionage code through various channels, including the Google Play store, Samsung Galaxy Store, and deceptive websites masquerading as legitimate encrypted chat applications. The rogue apps in question are FlyGram and Signal Plus Messenger.
Lukáš Štefanko, an ESET researcher, revealed, “Malicious code from the BadBazaar family was hidden in trojanized Signal and Telegram apps, which provide victims a working app experience but with espionage happening in the background.” The malware’s primary objective is to extract device information, contact lists, call logs, and the list of installed apps. Furthermore, it conducts espionage on Signal messages by secretly connecting the victim’s Signal Plus Messenger app to the attacker’s device.
ESET’s telemetry data reported detections in numerous countries, including EU nations, the United States, Ukraine, and other global locations. As a result, both FlyGram and Signal Plus Messenger were later removed from Google Play.
The scope of this threat extends to a broader international landscape. ESET’s telemetry has detected the malicious apps in Australia, Brazil, Denmark, the Democratic Republic of the Congo, Germany, Hong Kong, Hungary, Lithuania, the Netherlands, Poland, Portugal, Singapore, Spain, Ukraine, the United States, and Yemen. Additionally, a link to FlyGram was shared within a Uyghur Telegram group, indicating potential targeting of Uyghurs and other Turkic ethnic minorities.
ESET’s role as a Google App Defense Alliance partner allowed for the prompt identification of Signal Plus Messenger’s malicious version, leading to its removal from the Google Play Store. Both FlyGram and Signal Plus Messenger were created by the same developer, sharing identical malicious features, and referring to the same developer website in their descriptions.
The espionage method employed by Signal Plus Messenger is particularly unique. After the initial app launch, users are required to log in via legitimate Signal functionality. Once logged in, Signal Plus Messenger connects to its command and control (C&C) server and initiates spying on Signal messages by misusing the “link device” feature. This method, previously unseen by ESET researchers in other malware, is the only way for attackers to access the content of Signal messages. Signal’s developers have been informed of this vulnerability.
In contrast, FlyGram, the fake Telegram app, mandates that victims log in through legitimate Telegram functionality. Before the login process completes, FlyGram establishes communication with the C&C server, enabling BadBazaar to extract sensitive information from the device. FlyGram can access Telegram backups, provided the user has enabled a specific feature added by the attackers, which has been activated by at least 13,953 user accounts. However, unlike Signal Plus Messenger, FlyGram lacks the ability to link a Telegram account to the attacker or intercept encrypted communications.
You must log in to post a comment.