Chinese Group Spreads Android Spyware via Trojan Signal, Telegram Apps

A China-based advanced persistent threat group that used an Android malware tool called BadBazaar to spy on Uyghurs is distributing the same spyware to users in several countries via Trojanized versions of the Signal and Telegram messaging apps.

The apps — Signal Plus Messenger and FlyGram — tout features and modifications not available with the official versions. But in reality, while they offer legitimate functionality, they can also exfiltrate device and user information and — in the case of Signal Plus — enable the threat actor to spy on communications.

Thousands of Downloads

Researchers from ESET who discovered the campaign say their telemetry shows thousands of users have downloaded both apps from Google's Play Store, Samsung Galaxy Store, and websites the threat actor's set up for each of the two apps.

The security vendor said it had detected infected devices in 16 countries so far, including the US, Australia, Germany, Brazil, Denmark, Portugal, Spain, and Singapore. The researchers have attributed the campaign to a Chinese group they are tracking as GREF.

"Based on analysis of BadBazaar, user espionage is their main goal with focus on Signal communication — in the case of malicious Signal Plus Messenger," says ESET researcher Lukáš Štefanko. "The campaigns seem to be active since malicious Signal Plus Messenger is still available on Samsung's Galaxy Store and was recently updated — on Aug. 11, 2023."

Unlike with previous use of BadBazaar, ESET has found nothing to suggest that GREF is using the malware to target specific groups or individuals, Štefanko says.

According to ESET, the threat actor appears to have initially uploaded Signal Plus Messenger to Google Play in July 2022 and FlyGram sometime in early June 2020. The Signal app garnered a few hundred downloads, while more than 5,000 users downloaded FlyGram from Play before Google removed it. It's unclear when GREF actors uploaded their Trojanized apps to Galaxy Store because Samsung does not reveal that information, ESET said.

GREF appears to have established dedicated websites for both malicious apps a few months before each of the apps became available on Play and Galaxy Store.

Google removed the latest version of Signal Plus Messenger from its Play Store after ESET notified the company about it in April. Google had previously already removed FlyGram from the store. But both apps remain an active threat because they are still available on Samsung's Galaxy Store even after ESET notified the company of the threat, the security vendor said in a report this week.

Potentially Big Impact for Victims

BadBazaar is malware that some other vendors have attributed to China-based APT15, aka Vixen Panda and Nickel. Lookout, the first to report on the malware last November, identified BadBazaar as one in a collection of unique surveillance tools that the Chinese government used in surveillance campaigns against Uyghurs and other Turkic minorities, both domestically and abroad.

ESET said that based on code similarities, both Signal Plus Messenger and FlyGram appear to definitely belong to the BadBazaar malware family.

FlyGram's features include the ability to extract basic device information, contact lists, call logs, and a list of all Google Accounts on a compromised Android device. FlyGram can also extract some basic metadata from Telegram apps and access a user's full Telegram backup — including contacts, profile pictures, groups, channels, and other information — if the user enables a specific Cloud Sync feature in the malicious app. Telemetry related to that specific backup feature showed that at least 13,953 individuals who downloaded FlyGram had activated it, ESET said.

Signal Plus Messenger collects the same kind of device and user information as FlyGram, but its main function is to spy on the user's Signal communications. One unique feature about the malware is its ability to extract the user's Signal PIN and use it to link the Signal Desktop and Signal iPad to their own phones. "This spying approach stands out due to its uniqueness, as it differs from the functionality of any other known malware," ESET said.

"For specific individuals and enterprises, the impact can be huge, considering FlyGram is capable of not only spying on users but also downloading additional custom payload and making users install them," Štefanko notes. "Malicious Signal Plus Messenger, on the other hand, allows active espionage on exchanged Signal communication."

Štefanko says that while several other vendors have tied BadBazaar to APT15, ESET itself has not been able to conclusively establish that link. Instead, telemetry related to the malware, the Trojanized apps, and the threat infrastructure all point to BadBazaar being the handiwork of GREF, he says. "While we track GREF as a separate group, many researchers believe it is associated with APT15. However, we don't have enough evidence to support that connection."