Spyware Targeting Signal and Telegram Users Linked to China

Researchers have uncovered malicious Android apps on the Google Play Store and Samsung Galaxy Store that contain the BadBazaar spyware. The apps are designed to target users of Signal and Telegram and infect their devices with spyware. The campaign has been attributed to a China-linked actor known as GREF, with the apps distributing the BadBazaar code since July 2020 and July 2022, respectively. Victims of the campaign have been primarily detected in Germany, Poland, and the U.S., but also in other countries including Ukraine, Australia, Brazil, and Hong Kong. BadBazaar is a previously documented spyware that targets the Uyghur community in China, collecting a range of data from infected devices.

The rogue Android apps used in the campaign were never published on the Google Play Store, but they were available on the Samsung Galaxy Store. The apps have now been taken down from the Google Play Store. The campaign also involved tricking potential victims into downloading the apps from a Uyghur Telegram group. The apps, Signal Plus Messenger and FlyGram, collect and exfiltrate sensitive user data and are designed to mimic the respective apps, Signal and Telegram.

Signal Plus Messenger was found to secretly link the victim’s smartphone to the attacker’s device, allowing for the spying on Signal communications without the victim’s knowledge. FlyGram implements SSL pinning, making it difficult to intercept and analyze network traffic between the app and its server. Further investigation revealed that around 13,953 users had installed FlyGram and activated the Cloud Sync feature.

ESET, the cybersecurity company that uncovered the campaign, is continuing to track the China-linked actor GREF as a separate cluster. The main purpose of the BadBazaar spyware is to exfiltrate device information, contact lists, call logs, and installed apps, as well as conducting espionage on Signal messages.