Chinese Group Spreads Android Spyware via Trojan Signal, Telegram Apps

  /     /     /  
Publicated : 23/11/2024   Category : security


Chinese Group Spreads Android Spyware via Trojan Signal, Telegram Apps


Thousands of devices have become infected with BadBazaar, malware previously used to spy on Uyghur and Turkic ethnic minorities in China.



A China-based advanced persistent threat group that used an Android malware tool called BadBazaar to spy on Uyghurs is distributing the same spyware to users in several countries via Trojanized versions of the Signal and Telegram messaging apps.
The apps — Signal Plus Messenger and FlyGram — tout features and modifications not available with the official versions. But in reality, while they offer legitimate functionality, they can also exfiltrate device and user information and — in the case of Signal Plus — enable the threat actor to spy on communications.
Researchers from ESET
who discovered the campaign
say their telemetry shows thousands of users have downloaded both apps from Googles Play Store, Samsung Galaxy Store, and websites the threat actors set up for each of the two apps.
The security vendor said it had detected infected devices in 16 countries so far, including the US, Australia, Germany, Brazil, Denmark, Portugal, Spain, and Singapore. The researchers have attributed the campaign to a Chinese group they are tracking as GREF.
Based on analysis of BadBazaar, user espionage is their main goal with focus on Signal communication — in the case of malicious Signal Plus Messenger, says ESET researcher Lukáš Štefanko. The campaigns seem to be active since malicious Signal Plus Messenger is still available on Samsungs Galaxy Store and was recently updated — on Aug. 11, 2023.
Unlike with previous use of BadBazaar, ESET has found nothing to suggest that GREF is using the malware to target specific groups or individuals, Štefanko says.
According to ESET, the threat actor appears to have initially uploaded Signal Plus Messenger to Google Play in July 2022 and FlyGram sometime in early June 2020. The Signal app garnered a few hundred downloads, while more than 5,000 users downloaded FlyGram from Play before Google removed it. Its unclear when GREF actors uploaded their Trojanized apps to Galaxy Store because Samsung does not reveal that information, ESET said.
GREF appears to have established dedicated websites for both malicious apps a few months before each of the apps became available on Play and Galaxy Store.
Google removed the latest version of Signal Plus Messenger from its Play Store after ESET notified the company about it in April. Google had previously already removed FlyGram from the store. But both apps remain an active threat because they are still available on Samsungs Galaxy Store even after ESET notified the company of the threat, the security vendor said in a report this week.
BadBazaar is malware
that some other vendors have attributed to China-based APT15, aka Vixen Panda and Nickel. Lookout, the
first to report on the malware
last November, identified BadBazaar as one in a collection of unique surveillance tools that the Chinese government used in surveillance campaigns against Uyghurs and other Turkic minorities, both domestically and abroad.
ESET said that based on code similarities, both Signal Plus Messenger and FlyGram appear to definitely belong to the BadBazaar malware family.
FlyGrams features include the ability to extract basic device information, contact lists, call logs, and a list of all Google Accounts on a compromised Android device. FlyGram can also extract some basic metadata from Telegram apps and access a users full Telegram backup — including contacts, profile pictures, groups, channels, and other information — if the user enables a specific Cloud Sync feature in the malicious app. Telemetry related to that specific backup feature showed that at least 13,953 individuals who downloaded FlyGram had activated it, ESET said.
Signal Plus Messenger collects the same kind of device and user information as FlyGram, but its main function is to spy on the users Signal communications. One unique feature about the malware is its ability to extract the users Signal PIN and use it to link the Signal Desktop and Signal iPad to their own phones. This spying approach stands out due to its uniqueness, as it differs from the functionality of any other known malware, ESET said.
For specific individuals and enterprises, the impact can be huge, considering FlyGram is capable of not only spying on users but also downloading additional custom payload and making users install them, Štefanko notes. Malicious Signal Plus Messenger, on the other hand, allows active espionage on exchanged Signal communication.
Štefanko says that while several other vendors have tied BadBazaar to APT15, ESET itself has not been able to conclusively establish that link. Instead, telemetry related to the malware, the Trojanized apps, and the threat infrastructure all point to BadBazaar being the handiwork of GREF, he says. While we track GREF as a separate group, many researchers believe it is associated with APT15. However, we dont have enough evidence to support that connection.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinese Group Spreads Android Spyware via Trojan Signal, Telegram Apps