Cybersecurity researchers have uncovered a sinister campaign where malicious Android apps mimic Signal and Telegram, two popular messaging platforms. Distributed via the Google Play Store and Samsung Galaxy Store, these apps have been identified as carriers for the infamous BadBazaar spyware. Leading Slovakian cybersecurity firm, ESET, has traced this operation back to a China-linked actor named GREF.
Scope and Spread
Security researcher Lukáš Štefanko, from ESET, reported that the apps in question have been active since July 2020 for FlyGram and since July 2022 for Signal Plus Messenger. Key facts from the discovery include:
- Distribution platforms included the Google Play store, Samsung Galaxy Store, and dedicated websites for the malicious apps named Signal Plus Messenger and FlyGram.
- The primary victims were identified in Germany, Poland, and the U.S. Other affected regions include Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain, and Yemen.
- The spyware had a prior history. BadBazaar was first documented by Lookout in November 2022 when it targeted the Uyghur community in China. The malware was previously concealed within seemingly innocent Android and iOS apps, which, when installed, would harvest extensive user data, such as call logs, SMS messages, locations, and more.
Malicious App Details and Mechanisms
The apps in question are:
- Signal Plus Messenger (org.thoughtcrime.securesmsplus) – Recorded over 100+ downloads since its July 2022 launch and can also be found on signalplus[.]org.
- FlyGram (org.telegram.FlyGram) – Garnered over 5,000+ downloads since its debut in June 2020 and is available on flygram[.]org.
Shockingly, these apps were not just restricted to the mentioned stores and websites. Potential victims have likely been deceived into downloading them from a Uyghur Telegram group that specializes in sharing Android apps. This group boasts more than 1,300 members.
Functionality and Risk
Both Signal Plus Messenger and FlyGram were built with the primary intent of accumulating and exfiltrating sensitive user data. They also had specific features tailored to extract information from the apps they pretended to be: Signal and Telegram. Key functionalities include:
- The ability to extract Signal PIN and backup Telegram chats if users activated a Cloud Sync feature in the rogue apps.
- Signal Plus Messenger uniquely allows surveillance of a victim’s Signal communications. This covert method links the compromised device to the attacker’s Signal account without the user’s intervention.
- FlyGram employs SSL pinning to elude analysis, embedding the certificate within its APK file, which limits communication to a predefined certificate, making interception and analysis of the app-to-server network traffic difficult.
These apps provide an alarming look into how modern malware operates, with BadBazaar’s primary purpose being to exfiltrate device data and carry out espionage on Signal messages by covertly connecting the victim’s Signal Plus Messenger app to the attacker’s device.
Recommendations and Precautions
Users should always remain vigilant about the apps they install, especially ones that promise enhanced privacy or additional features. It’s strongly recommended to stick to the original versions of Signal and Telegram. Downloading forked or patched versions from unofficial platforms, even if listed on recognized app stores, can lead to security breaches.
Android users, in particular, are urged to ensure their device safety. Given that these apps remain accessible on Samsung’s Galaxy Store, there’s an increased need for proactive measures to ensure device and data security.
In an age where data breaches and cyberattacks are becoming more sophisticated and frequent, individuals must stay informed and exercise caution. Using trusted sources for downloads, keeping software up-to-date, and frequently monitoring device security are fundamental steps towards a safer digital experience.