China-Linked BadBazaar Android Spyware Targeting Signal and Telegram Users

Cyber Security Threat Summary:
Researchers at ESET recently disclosed details of a new campaign where threat actors are using the Google Play Store and Samsung Galaxy Store to advertise malicious Android apps for Signal and Telegram, with the end goal of infecting unsuspecting users with BadBazaar spyware. Victims targeted in the latest campaign primarily reside in Germany, Poland, and the U.S., followed by Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain, and Yemen. Below is a list of the applications being used to deploy BadBazaar:

  • Signal Plus Messenger (org.thoughtcrime.securesmsplus) - 100+ downloads since July 2022, also available via signalplus[.]org
  • FlyGram (org.telegram.FlyGram) - 5,000+ downloads since June 2020, also available via flygram[.]org
Although the applications have been taken off the Google Play Store, they are still accessible on the Samsung Galaxy Store. Researchers also have observed cases of these threat actors tricking victims into installing the apps via a Uyghur Telegram group, amassing over 1,300 members.

Security Officer Comments:
ESET has attributed this campaign to a China-linked actor called GREF which was previously seen deploying BadBazaar in attacks. The latest malicious applications being promoted are sightly different variants of BadBazaar and are capable of collecting and exfiltrating sensitive user data, while also stealing data related to Signal and Telegram, including PINs and chat backups for espionage-related purposes. These backups can be accessed if the user has the Cloud Sync feature enabled, which researchers say approximately 13,953 users had activated at the time of analysis.

“In what's a novel twist, Signal Plus Messenger represents the first documented case of surveillance of a victim's Signal communications by covertly linking the compromised device to the attacker's Signal account without requiring any user interaction. FlyGram, for its part, also implements a feature called SSL pinning to evade analysis by embedding the certificate within the APK file such that only encrypted communication with the predefined certificate is allowed, thereby making it challenging to intercept and analyze the network traffic between the app and its server” (The Hacker News, 2023).

Suggested Correction(s):
Users should avoid downloading software from third-party sites and applications like Telegram. Software should also be scanned by antivirus solutions which can be instrumental in detecting malicious embedded executables. When installing an application from the Play Store, it is always a good idea to check user reviews and ensure the application is not requesting more permissions than it is required to function normally.