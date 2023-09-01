ESET researchers have discovered two active campaigns targeting Android users. The threat actors behind these campaigns, known as GREF, are attributed to a China-aligned APT group. The campaigns have been active since July 2020 and July 2022 respectively, distributing the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and fake websites posing as legitimate encrypted chat applications.

The malicious apps identified in these campaigns are FlyGram and Signal Plus Messenger, which were designed to imitate the popular encrypted messaging apps Signal and Telegram. The threat actors achieved this by patching the open-source apps with malicious code.

Signal Plus Messenger is the first documented case of spying on a victim’s Signal communications. Thousands of users downloaded the spy app, and ESET telemetry detected infections on Android devices in several countries, including the EU, the United States, and Ukraine. Both malicious apps were later removed from the Google Play store.

The BadBazaar malware, hidden within these imposter apps, is designed to exfiltrate device information, contacts, call logs, and the list of installed apps. It also conducts espionage on Signal messages by secretly linking the victim’s Signal Plus Messenger app to the attacker’s device.

In addition to the Google Play store, a link to FlyGram was shared in a Uyghur Telegram group, indicating that this malware is specifically targeting Uyghurs and other Turkic ethnic minorities outside of China.

ESET, as a partner of the Google App Defense Alliance, promptly alerted Google about the malicious Signal Plus Messenger app, leading to its removal from the store.

The malicious apps were created by the same developer and share the same features. After the initial login, Signal Plus Messenger communicates with its command and control server and can spy on Signal messages by misusing the “link device” feature. FlyGram, the fake Telegram app, communicates with the command and control server as well, allowing it to exfiltrate sensitive information from the device.

It is worth noting that while FlyGram can access Telegram backups, it lacks the ability to intercept encrypted communications or link a Telegram account to the attacker.

ESET researchers believe that the unique method of spying employed by these malware apps, particularly Signal Plus Messenger, has not been seen before. They have informed Signal’s developers about this loophole.

In conclusion, Android users should exercise caution when downloading apps from unofficial sources and should regularly update their devices and apps to protect against such threats.

