ESET researchers have detected ongoing campaigns aimed at Android users, with the responsibility attributed to the China-linked APT group GREF. These campaigns, suspected to be active since July 2020 and July 2022, respectively, have been distributing the BadBazaar espionage code for Android through channels such as the Google Play store, Samsung Galaxy Store, and dedicated websites posing as legitimate apps like Signal Plus Messenger and FlyGram.
The attackers modified the open-source Signal and Telegram apps for Android by embedding the malicious BadBazaar code. The objective of these tampered apps is to steal user data, with FlyGram capable of extracting various types of information, including device details, contact lists, call logs, and Google Account information. Additionally, FlyGram can acquire certain data and settings associated with Telegram, although sensitive content such as message histories and contact lists remain inaccessible. However, enabling a specific feature in FlyGram that facilitates the backup and restoration of Telegram data to a server controlled by the attackers grants them complete access to these backups, surpassing mere metadata. Notably, this analysis revealed a sequential pattern in the assigned unique IDs for newly registered accounts on the server, implying that at least 13,953 FlyGram accounts engaged this feature.
Signal Plus Messenger gathers similar device data and sensitive details, but its primary purpose is to survey the user’s Signal communications. This encompasses extracting the Signal PIN for account protection and exploiting the “link device” function, enabling users to connect Signal Desktop and Signal iPad with their mobile devices. This spying approach sets itself apart due to its distinctiveness, differing from the functionalities observed in other known malware instances.
