Cybersecurity researchers have discovered malicious versions of the Signal and Telegram Android apps on the Google Play Store and Samsung Galaxy Store. These fake apps have been distributing the China-linked “BadBazaar” spyware, targeting Android devices. The threat actors behind these malicious apps are associated with the China-aligned APT group known as GREF, according to ESET, a cybersecurity company.

The tainted Signal and Telegram apps, known as ‘Signal Plus Messenger’ and ‘FlyGram,’ have been active since July 2020 and July 2022, respectively. These apps have been distributing the Android BadBazaar espionage code through legitimate platforms and dedicated websites.

The main purpose of these Trojanized apps is to extract user data. FlyGram can collect device information, contact lists, call logs, and Google Account details. It can also access Telegram backups if a specific feature added by the attackers is enabled. At least 13,953 user accounts have activated this feature.

Signal Plus Messenger collects similar device data and sensitive information, but its primary goal is to spy on Signal communications. It can extract Signal PIN numbers and abuse the link device feature that connects Signal Desktop and Signal iPad to users’ phones.

The BadBazaar malware, which is being used in these malicious apps, has previously targeted Uyghurs and other Turkic ethnic minorities. The FlyGram malware was even identified in a Uyghur Telegram group, aligning with past instances of BadBazaar malware targeting.

Victims of these malicious apps have been identified in Germany, Poland, the US, Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain, and Yemen.

This discovery highlights the ongoing challenges in identifying and combating sophisticated cyber threats that leverage legitimate platforms to distribute malware, posing significant risks to user data and privacy.

