A recent report by cybersecurity firm ESET has revealed an ongoing surveillance operation carried out by the advanced persistent threat (APT) hacking group known as GREF, with links to China. The group has been using Android malware to spy on Uyghur populations, and it is now employing similar tactics on individuals in multiple countries.

The malicious Android apps, named “Signal Plus Messenger and FlyGram,” were found on the Google Play Store and Samsung Galaxy Store. These apps impersonate popular messaging platforms like Telegram and Signal to extract sensitive user data. ESET discovered that the apps had dedicated websites masquerading as the legitimate Signal and Telegram applications.

The spyware campaign aims to extract various kinds of user data, including contact lists, call logs, Google account information, device location, and Wi-Fi details. The FlyGram app can also retrieve metadata from Telegram applications and access a user’s complete Telegram backup when the Cloud Sync feature is activated within the malicious app.

Meanwhile, the Signal Plus Messenger app is designed to spy on a user’s Signal messages. The malware extracts the user’s Signal PIN and establishes connections between Signal Desktop and Signal iPad on the attacker’s devices, without the user’s knowledge or action.

ESET revealed that over 13,953 individuals who downloaded the FlyGram app had the Cloud Sync feature enabled. Additionally, the researcher presented a video demonstrating how the attacker can seamlessly establish a connection between the compromised device and their Signal account.

The FlyGram app was available on the Google Play Store from June 2020 and garnered over 5,000 installations before being removed in January 2021. Similarly, the Signal Plus Messenger app was uploaded on July 7th, 2022, and received over a hundred installations before it was taken down in May 2023.

Victims of this malware campaign have primarily been identified in Germany, Poland, and the United States, with cases also found in Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain, and Yemen.

The cybersecurity firm Lookout has previously identified BadBazaar as a surveillance tool used by the Chinese government in campaigns targeting Uyghurs and other Turkic minorities. ESET noticed significant code similarities between the Signal Plus Messenger and FlyGram samples and the BadBazaar malware, which has been attributed to the GREF cluster of APT15 by Lookout.

ESET has alerted both Google and Samsung about these malicious apps, resulting in their removal from Google platforms. However, no action has been reported by Samsung at this time.

These findings highlight the ongoing threat of surveillance and the need for users to stay vigilant when downloading apps, especially those related to popular messaging platforms.

