Researchers from ESET, a proactive threat detection company, have discovered two malicious applications pretending to be Telegram and Signal to infect unsuspecting victims’ smartphones. The report states that the spyware code was identified on Android operating system devices, putting thousands of devices at risk.
According to the cybersecurity company’s study, the threat actors behind the tool are attributed to the Advanced Persistent Threat (APT) group GREF from China. It appears that the apps remained active and available for download from July 2020 to July 2022, during which time the hacker group operated by invading phones worldwide.
The infected applications were distributed through official Google system stores, such as the Play Store and Samsung’s Galaxy Store, as well as websites representing the malicious applications Signal Plus Messenger and FlyGram. The spyware malware was identified as “BadBazaar,” discreetly operating in the background without the victim’s awareness.
Based on their telemetry, ESET identified active Android campaigns in which an attacker uploaded and distributed malicious applications under the names Signal Plus Messenger and FlyGram via Google Play Store, Samsung Galaxy Store, and websites, mimicking the Signal app (signalplus[.]org) and an alternative Telegram app (flygram[.]org).
See below the map of affected countries:
The document points out that BadBazaar’s intention was to collect data stored in the device’s internal storage, such as notes in the notepad, login information, banking credentials, etc., and send them directly to the criminal, who could use these data to commit fraud, bank fraud, and other scams.
In the case of FlyGram, the “parallel” version of the Russian messenger, if users activate a specific FlyGram feature that allows them to back up and restore Telegram data on a remote server controlled by the attackers, the threat agent will have full access to these Telegram backups, not just the collected metadata.
Signal Plus Messenger, on the other hand, collects device data and similar confidential information; its main goal, however, is to spy on the victim’s Signal communications, potentially extracting the Signal PIN number that protects the account and misusing the device’s tethering feature that allows users to link Signal Desktop and Signal iPad.
Related: