ESET researchers have identified two active campaigns targeting Android users, where the threat actors behind the tools for Telegram and Signal are attributed to the China-aligned APT group GREF.
Most likely active since July 2020 and since July 2022, respectively for each malicious app, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites posing as legitimate encrypted chat applications - the malicious apps are FlyGram and Signal Plus Messenger.
The threat actors achieved the functionalities in the fake Signal and Telegram apps by patching the open-source Signal and Telegram apps for Android with malicious code.
Signal Plus Messenger is the first documented case of spying on a victim's Signal communications; thousands of users downloaded the spy apps. ESET telemetry reported detections on Android devices in several EU countries, the United States, Ukraine, and other places worldwide. Both apps were later removed from Google Play.
ESET Researcher Lukáš Štefanko, who made the discovery, says, “Malicious code from the BadBazaar family was hidden in trojanized Signal and Telegram apps, which provide victims a working app experience but with espionage happening in the background."
“BadBazaar’s main purpose is to exfiltrate device information, the contact list, call logs, and the list of installed apps, and to conduct espionage on Signal messages by secretly linking the victim’s Signal Plus Messenger app to the attacker’s device,” he adds.
ESET telemetry reports detections from Australia, Brazil, Denmark, the Democratic Republic of the Congo, Germany, Hong Kong, Hungary, Lithuania, the Netherlands, Poland, Portugal, Singapore, Spain, Ukraine, the United States, and Yemen.
Furthermore, a link to FlyGram in the Google Play store was also shared in a Uyghur Telegram group. Apps by the BadBazaar malware family previously have been used against Uyghurs and other Turkic ethnic minorities outside of China.
As a Google App Defense Alliance partner, ESET identified the most recent version of the Signal Plus Messenger as malicious and promptly shared its findings with Google. Following our alert, the app was removed from the Store.
Both apps were created by the same developer and share the same malicious features, and the app descriptions on both stores refer to the same developer website.
After initial app start, the user has to log into Signal Plus Messenger via legitimate Signal functionality, just like they would with the official Signal app for Android.
Once logged in, Signal Plus Messenger starts to communicate with its command and control (C&C) server. Signal Plus Messenger can spy on Signal messages by misusing the “link device” feature. It does this by automatically connecting the compromised device to the attacker’s Signal device.
This method of spying is unique: ESET researchers haven’t seen this functionality being misused before by other malware, and this is the only method by which the attacker can obtain the content of Signal messages. ESET Research has informed Signal’s developers about this loophole.
With regard to the fake Telegram app, FlyGram, the victim has to log in via their legitimate Telegram functionality, as required by the official Telegram app.
Before the login is complete, FlyGram starts to communicate with the C&C server and BadBazaar gains the ability to exfiltrate sensitive information from the device. FlyGram can access Telegram backups if the user has enabled a specific feature added by the attackers; the feature was activated by at least 13,953 user accounts.
The attacker’s proxy server may be able to log some metadata, but it cannot decrypt the actual data and messages exchanged within Telegram itself. Unlike the Signal Plus Messenger, FlyGram lacks the ability to link a Telegram account to the attacker or intercept the encrypted communications of its victims, ESET states.