Chinese group spreads Android spyware via Trojan Signal, Telegram apps

A China-based advanced persistent threat group that used an Android malware tool called BadBazaar to spy on Uyghurs is distributing the same spyware to users in several countries via Trojanized versions of the Signal and Telegram messaging apps.

The apps — Signal Plus Messenger and FlyGram — tout features and modifications not available with the official versions. But in reality, while they offer legitimate functionality, they can also exfiltrate device and user information and — in the case of Signal Plus — enable the threat actor to spy on communications.

Thousands of Downloads

Researchers from ESET who discovered the campaign say their telemetry shows thousands of users have downloaded both apps from Google’s Play Store, Samsung Galaxy Store, and websites the threat actor’s set up for each of the two apps.

The security vendor said it had detected infected devices in 16 countries so far, including the US, Australia, Germany, Brazil, Denmark, Portugal, Spain, and Singapore. The researchers have attributed the campaign to a Chinese group they are tracking as GREF.

“Based on analysis of BadBazaar, user espionage is their main goal with focus on Signal communication — in the case of malicious Signal Plus Messenger,” says ESET researcher Lukáš Štefanko. “The campaigns seem to be active since malicious Signal Plus Messenger is still available on Samsung’s Galaxy Store and was recently updated — on Aug. 11, 2023.”

Unlike with previous use of BadBazaar, ESET has found nothing to suggest that GREF is using the malware to target specific groups or individuals, Štefanko says.

According to ESET, the threat actor appears to have initially uploaded Signal Plus Messenger to Google Play in July 2022 and FlyGram sometime in early June 2020. The Signal app garnered a few hundred downloads, while more than 5,000 users downloaded FlyGram from Play before Google removed it. It’s unclear when GREF actors uploaded their Trojanized apps to Galaxy Store because Samsung does not reveal that information, ESET said.

To read the complete article, visit Dark Reading.