The rogue Android apps used in the campaign were never published on the Google Play Store, but they were available on the Samsung Galaxy Store. The apps have now been taken down from the Google Play Store. The campaign also involved tricking potential victims into downloading the apps from a Uyghur Telegram group. The apps, Signal Plus Messenger and FlyGram, collect and exfiltrate sensitive user data and are designed to mimic the respective apps, Signal and Telegram.
Signal Plus Messenger was found to secretly link the victim’s smartphone to the attacker’s device, allowing for the spying on Signal communications without the victim’s knowledge. FlyGram implements SSL pinning, making it difficult to intercept and analyze network traffic between the app and its server. Further investigation revealed that around 13,953 users had installed FlyGram and activated the Cloud Sync feature.
ESET, the cybersecurity company that uncovered the campaign, is continuing to track the China-linked actor GREF as a separate cluster. The main purpose of the BadBazaar spyware is to exfiltrate device information, contact lists, call logs, and installed apps, as well as conducting espionage on Signal messages.