-ESET Research recently unveiled the presence of trojanized Android apps imitating Signal and Telegram, named Signal Plus Messenger and FlyGram. Initially available on Google Play and Samsung Galaxy Store, both apps were subsequently removed from Google Play. Of significant concern, Signal Plus Messenger represents the first documented instance of spying on Signal communications through the secret auto linking of compromised devices to attacker-controlled Signal devices.
The malicious code within these apps is attributed to the BadBazaar malware family, previously associated with a China-aligned APT group known as GREF. Remarkably, a significant number of users downloaded these spy apps. ESET’s telemetry data identified detections on Android devices across various EU countries, the United States, Ukraine, and other global locations.
Historically, the BadBazaar malware has targeted Uyghurs and other Turkic ethnic minorities. Notably, FlyGram malware was distributed within a Uyghur Telegram group, aligning with prior targeting patterns linked to the BadBazaar malware family.
ESET researchers have pinpointed two ongoing campaigns targeting Android users. These campaigns, attributed to the China-aligned APT group GREF, have been active since approximately July 2020 and July 2022. Operating through Google Play store, Samsung Galaxy Store, and fraudulent websites posing as legitimate encrypted chat apps, the campaigns distributed the Android BadBazaar espionage code. The malicious apps, namely FlyGram and Signal Plus Messenger, were developed by the same creator and shared similar malicious characteristics. Both apps have been removed from Google Play following ESET’s alert.
Upon launch, Signal Plus Messenger prompts users to log in using legitimate Signal functionality. After authentication, the app establishes communication with its command and control (C&C) server. Notably, Signal Plus Messenger can eavesdrop on Signal messages by exploiting the “link device” feature, automatically connecting compromised devices to the attacker’s Signal device. This unique method of espionage caught ESET’s attention. The research team informed Signal developers of this novel vulnerability.
“Malicious code from the BadBazaar family was hidden in trojanized Signal and Telegram apps, which provide victims a working app experience but with espionage happening in the background,” says ESET researcher Lukáš Štefanko, who made the discovery. “BadBazaar’s main purpose is to exfiltrate device information, the contact list, call logs, and the list of installed apps, and to conduct espionage on Signal messages by secretly linking the victim’s Signal Plus Messenger app to the attacker’s device,” he adds.
ESET telemetry reports detections from Australia, Brazil, Denmark, the Democratic Republic of the Congo, Germany, Hong Kong, Hungary, Lithuania, the Netherlands, Poland, Portugal, Singapore, Spain, Ukraine, the United States, and Yemen. Furthermore, a link to FlyGram in the Google Play store was also shared in a Uyghur Telegram group. Apps by the BadBazaar malware family previously have been used against Uyghurs and other Turkic ethnic minorities outside of China.
Regarding the counterfeit Telegram app, FlyGram, users are required to log in through legitimate Telegram functionality. Prior to successful authentication, FlyGram engages in communication with the C&C server, equipping BadBazaar with the capability to extract sensitive information from the targeted device. In cases where users activated the attackers’ added feature, FlyGram could access Telegram backups. While the attacker’s proxy server might log metadata, it lacks the capacity to decrypt the actual content of messages exchanged within Telegram. Notably, unlike Signal Plus Messenger, FlyGram lacks the ability to connect a Telegram account to the attacker or intercept victims’ encrypted communications.
ESET’s vigilance, as a partner in the Google App Defense Alliance, led to the discovery and subsequent removal of Signal Plus Messenger from the store. These findings highlight the evolving landscape of cyber threats and the importance of continuous research to identify and counteract emerging espionage tactics.
Covered By: NCN MAGAZINE / ESET
If you have an interesting Article / Report/case study to share, please get in touch with us at editors@roymediative.com roy@roymediative.com, 9811346846/9625243429.
