Thousands of users have downloaded the FlyGram and Signal Plus Messenger spy apps from the Google Play Store and Samsung Galaxy Store. ESET telemetry has reported detections on Android devices in Europe, the US, Ukraine and other parts of the world
Researchers of ESET, a global European leader in the cybersecurity market, have identified two active campaigns targeting Android users of Telegram and Signal, where the threat actors are traced back to the China-aligned APT GREF group. Most likely active since July 2020 and July 2022, for each app respectively, the campaigns distributed the BadBazaar Android spy code through the Google Play Store, Samsung Galaxy Store, and dedicated websites posing as legitimate encrypted chat applications – the malicious apps are FlyGram and Signal Plus Messenger. Threat actors gained the functionality of fake Signal and Telegram apps by patching the open-source Signal and Telegram apps for Android with malicious code. Signal Plus Messenger is the first documented case of spying on a victim's Signal communications; thousands of users have downloaded spy apps. ESET telemetry has reported detections on Android devices in several countries in the European Union, the United States, Ukraine and other countries around the world. Both apps were later removed from Google Play.
“BadBazaar's malicious code was hidden in Trojan-affected Signal and Telegram apps, which provide victims with a working app experience, but with spying activity in the background,” he explains Lukáš Štefanko, ESET researcher who made the discovery. “The main purpose of BadBazaar is to exfiltrate your device information, contact list, call logs and installed apps list, and to conduct spying on Signal messages by secretly connecting the Signal Plus Messenger app of the victim to the attacker's device,” he adds.
ESET telemetry reports detections from Australia, Brazil, Denmark, Democratic Republic of Congo, Germany, Hong Kong, Hungary, Lithuania, Netherlands, Poland, Portugal, Singapore, Spain, Ukraine, United States and Yemen. Additionally, a link to FlyGram in the Google Play Store was also shared in a Uyghur Telegram group. BadBazaar malware applications have previously been used against Uyghurs and other Turkic ethnic minorities outside of China.
As a partner of the Google App Defense Alliance, ESET identified the latest version of Signal Plus Messenger as malicious and promptly shared its findings with Google. Following the report, the app was removed from the Store. Both apps were created by the same developer and share the same malicious features, and the app descriptions on both stores reference the same developer's website.
Dopo l’avvio iniziale dell’app, l’utente deve accedere a Signal Plus Messenger tramite la funzionalità legittima di Signal, proprio come farebbe con l’app ufficiale per Android. Una volta effettuato l’accesso, Signal Plus Messenger inizia a comunicare con il suo server di command and control (C&C). Signal Plus Messenger può spiare i messaggi di Signal abusando della funzione “collega dispositivo”. Lo fa collegando automaticamente il dispositivo compromesso al dispositivo Signal dell’aggressore. Questo metodo di spionaggio è unico: i ricercatori di ESET non hanno mai riscontrato una funzionalità simile utilizzata in modo improprio da altri malware e questo è l’unico metodo con cui l’aggressore può accedere al contenuto dei messaggi di Signal. ESET Research ha informato gli sviluppatori di Signal di questa falla.
Per quanto riguarda la falsa app di Telegram, FlyGram, la vittima deve effettuare l’accesso tramite la legittima funzionalità di Telegram, come richiesto dall’app ufficiale. Prima che il login sia completato, FlyGram inizia a comunicare con il server C&C e BadBazaar ottiene la possibilità di esfiltrare informazioni sensibili dal dispositivo. FlyGram può accedere ai backup di Telegram se l’utente ha attivato una funzione specifica aggiunta dagli aggressori, funzione che è stata attivata da almeno 13.953 account utente. Il server proxy dell’attaccante può essere in grado di registrare alcuni metadati, ma non può decriptare i dati e i messaggi effettivamente scambiati all’interno di Telegram. A differenza di Signal Plus Messenger, FlyGram non ha la capacità di collegare un account Telegram all’attaccante o di intercettare le comunicazioni crittografate delle sue vittime.
For more technical information on GREF's latest campaigns regarding BadBazaar and trojan-infected spy apps, please see the blog post “BadBazaar espionage tool targets Android via trojanized Signal and Telegram apps” su WeLiveSecurity.
