ESET researchers have recently discovered two active campaigns targeting Android users which have been attributed to a China-aligned APT group called GREF. The campaigns, which have been active since July 2020 and July 2022 respectively, have distributed the Android BadBazaar espionage code through various platforms including the Google Play store, Samsung Galaxy Store, and dedicated websites. The malicious apps used in these campaigns were disguised as popular messaging apps Signal and Telegram, with the threat actors patching the open-source Signal and Telegram apps for Android with the malicious BadBazaar code.
According to ESET Research, the trojanized apps, named Signal Plus Messenger and FlyGram, were initially found on Google Play and Samsung Galaxy Store. The malicious code found in these apps has been attributed to the BadBazaar malware family, previously used by the China-aligned APT group GREF to target Uyghurs and other Turkic ethnic minorities. FlyGram was also found to be shared in a Uyghur Telegram group, further indicating its targeting of this specific group.
FlyGram has the ability to access Telegram backups if the user has enabled a specific feature added by the attackers. The feature was activated by at least 13,953 user accounts, providing the threat actors with full access to these Telegram backups. However, it is important to note that these backups do not contain actual messages. On the other hand, Signal Plus Messenger represents the first documented case of spying on a victim’s Signal communications by secretly autolinking the compromised device to the attacker’s Signal device. This unique method allows the threat actors to extract sensitive information, including the Signal PIN number that protects the Signal account.
ESET was able to identify active Android campaigns where the threat actors uploaded and distributed these malicious apps through various platforms, mimicking the legitimate Signal and Telegram apps. The purpose of these trojanized apps is to exfiltrate user data, including basic device information, contact lists, call logs, and Google Accounts.
The malicious Signal Plus Messenger app was uploaded to Google Play on July 7th, 2022, and was installed over a hundred times before being removed. The same app was also found on the Samsung Galaxy Store. Both apps were created by the same developer and share the same malicious features. The app descriptions on both stores refer to the same developer website, signalplus[.]org.
Similarly, the malicious FlyGram app was initially uploaded to Google Play around June 4th, 2020, and managed to garner over 5,000 installations before being taken down. It was also available for download from its dedicated website flygram[.]org. Both apps were found to be part of the BadBazaar malware family, previously used to target Uyghurs and other Turkic ethnic minorities.
ESET’s research indicates that GREF, a China-aligned APT group, is behind these campaigns. The code similarities between the trojanized apps and the BadBazaar malware family, as well as the targeting of Uyghur communities, align with GREF’s previous activities. However, ESET acknowledges that they are currently unable to link GREF to the APT15 group attributed by Lookout.
The campaigns have targeted Android users from various countries, including Australia, Brazil, Denmark, Germany, Hong Kong, Hungary, Spain, Ukraine, the United States, and Yemen. In addition to distribution through official app stores, potential victims were also lured to install the FlyGram app from a Uyghur Telegram group focused on Android app sharing.
Overall, these campaigns highlight the ongoing efforts of threat actors to target Android users with trojanized apps. It is important for users to exercise caution when downloading apps, especially from unofficial sources, and to regularly update their devices with the latest security patches.