A China-based advanced persistent threat group known as GREF has been discovered distributing a spyware called BadBazaar to users in multiple countries through Trojanized versions of the popular messaging apps Signal and Telegram. The threat actor initially used an Android malware tool called BadBazaar to spy on Uyghurs and has now expanded its operations to target users worldwide.
According to researchers from ESET who uncovered the campaign, thousands of users have downloaded the malicious apps, named Signal Plus Messenger and FlyGram, from various app stores and websites. The researchers have identified infected devices in 16 countries, including the United States, Australia, Germany, Brazil, and Singapore. The campaign has been active since at least August 2023, and the researchers have attributed it to the Chinese group GREF.
Unlike previous instances of BadBazaar’s use, there is no evidence to suggest that GREF is targeting specific groups or individuals with the spyware. However, the threat actor’s main goal is user espionage and monitoring Signal communications, particularly in the case of Signal Plus Messenger.
ESET’s investigation revealed that GREF first uploaded Signal Plus Messenger to Google Play in July 2022 and FlyGram in early June 2020. While the Signal app only received a few hundred downloads, more than 5,000 users downloaded FlyGram from Google Play before it was removed. The exact timeline of when the Trojanized apps were uploaded to Samsung’s Galaxy Store remains unclear.
The threat actor went to great lengths to make the malicious apps appear legitimate. They even created dedicated websites for both Signal Plus Messenger and FlyGram months before the apps became available on official app stores. Although Google removed the latest version of Signal Plus Messenger from its Play Store after being notified by ESET, both apps remain active threats as they are still accessible on Samsung’s Galaxy Store.
BadBazaar is a malware family that has been previously linked to the China-based APT15 group. Lookout, a cybersecurity company, first reported on the malware in November 2022. It was identified as one of several surveillance tools used by the Chinese government to target Uyghurs and other Turkic minorities. ESET’s analysis confirms that both Signal Plus Messenger and FlyGram belong to the BadBazaar malware family.
FlyGram has the capability to extract basic device information, contact lists, call logs, Google Account details, and metadata from Telegram apps. It can also access the user’s full Telegram backup if the Cloud Sync feature is activated in the Trojanized app. Telemetry data indicates that at least 13,953 individuals who downloaded FlyGram had enabled this specific backup feature.
Signal Plus Messenger collects the same device and user information as FlyGram but focuses on spying on the user’s Signal communications. The malware has a unique capability to extract the user’s Signal PIN and use it to link the Signal Desktop and Signal iPad apps to the threat actor’s phone. This spying approach sets BadBazaar apart from other known malware.
The impact of these malicious apps can be significant. FlyGram not only spies on users but can also download additional custom payloads and force users to install them. Similarly, Signal Plus Messenger allows active espionage on exchanged Signal communication. This level of surveillance can have serious consequences for individuals and enterprises targeted by GREF.
While other cybersecurity vendors have connected BadBazaar to APT15, ESET has not yet established a definitive link. However, the telemetry data related to the malware, Trojanized apps, and threat infrastructure all point to GREF as the group behind BadBazaar. Further investigation is needed to determine the exact nature of GREF’s relationship with APT15.
In conclusion, the distribution of Trojanized versions of Signal and Telegram by the Chinese threat actor GREF underscores the importance of vigilance and caution while downloading apps from official app stores. Users should only install apps from trusted sources and be wary of suspicious app functionalities or modifications. Additionally, organizations should implement robust security measures to detect and mitigate the risks associated with advanced persistent threat groups like GREF.