Cybersecurity researchers have uncovered a troubling Android spyware campaign targeting users of the popular messaging apps Signal and Telegram. Malicious apps, distributed via legitimate platforms like the Google Play Store and Samsung Galaxy Store, have been engineered to deploy the BadBazaar spyware on compromised devices.
Slovakian company ESET has attributed this campaign to a China-linked actor known as GREF. The campaign, which has likely been active since July 2020 and July 2022, respectively, utilizes dedicated websites and official app stores to distribute the malicious apps Signal Plus Messenger and FlyGram, with victims primarily located in Germany, Poland, and the U.S.
The espionage capabilities of the BadBazaar spyware are concerning. The campaign is primarily aimed at exfiltrating sensitive data from infected devices, including call logs, SMS messages, locations, and more.
Notably, the spyware has targeted the Uyghur community in China, using seemingly benign Android and iOS apps to harvest information. The campaign also extends back to at least 2018, with rogue Android apps that were never published on the Play Store but remain available on the Samsung Galaxy Store. Two apps, Signal Plus Messenger and FlyGram, are central to the campaign’s distribution mechanisms. These apps are designed to mimic Signal and Telegram, respectively, while collecting and exfiltrating sensitive user data.
Additionally, Signal Plus Messenger introduces a unique approach, covertly linking the compromised device to the attacker’s Signal account without any user interaction. ESET researchers noted that the spyware’s primary objective is to exfiltrate device information, contact lists, call logs, and the list of installed apps, as well as to conduct surveillance on Signal messages by secretly linking the victim’s Signal Plus Messenger app to the attacker’s device.
