Chinese Group Spreads Android Spyware Using Trojan Versions of Legit Apps

A cyber threat group based in China, known for its ongoing and targeted cyber-espionage activities against Uyghur individuals, has taken a new approach. They are now spreading the same spyware, BadBazaar, to users in various countries.

They create tampered or malicious versions of popular messaging apps like Signal and Telegram.These manipulated versions of the apps are used to distribute the spyware and potentially spy on unsuspecting users.

Signal Plus Messenger and FlyGram are applications claiming to provide users with additional features and enhancements beyond the official versions.

However, despite offering genuine functionality, these apps have a hidden agenda. They are designed to collect information about the device and its user secretly.

In the case of Signal Plus, it even allows the threat actor to eavesdrop on the communication activities of targeted users.

Reports Show Users Downloaded Numerous Spyware Apps

According to findings by ESET researchers, data indicates that thousands of users have downloaded both apps from various sources, including the Samsung Galaxy Store and Play Store. Also, users downloaded them on websites that the threat actor has established for each of these two applications.

The cybersecurity company has also identified compromised devices in a total of 16 countries, which include the United States, Brazil, Australia, Germany, Denmark, Singapore, Portugal, and Spain.The researchers have linked this campaign to a Chinese cyber group they are monitoring, GREF.

Also, ESET researcher Luka tefanko has noted that the primary objective of the threat actors behind BadBazaar is user surveillance, with a specific emphasis on monitoring Signal communication, especially in the case of the malicious Signal Plus Messenger.

The campaigns appear to have been ongoing for some time, as the compromised Signal Plus Messenger app is still accessible on Samsung's Galaxy Store and was recently updated as of August 11, 2023.

According to ESET's findings, the threat actor initially uploaded Signal Plus Messenger to Google Play in July 2022, while FlyGram was uploaded sometime in early June 2020.

The legitimate Signal app received a few hundred downloads, whereas FlyGram was downloaded by over 5,000 users from the Play Store before its removal by Google.

Unfortunately, according to ESET, the exact timeline of when the GREF actors uploaded their manipulated apps to the Galaxy Store remains uncertain because Samsung does not disclose such information.

GREF seems to have created separate websites specifically for harmful applications several months before these apps were accessible on the Play Store and Galaxy Store.

Google has removed some of these spyware apps from its Play Store

Google reportedly took down the most recent version of Signal Plus Messenger from its Play Store following a notification from ESET in April.

Before this, Google had already removed FlyGram from its store. However, both apps continue to pose an ongoing security threat.

They are still accessible on Samsung's Galaxy Store despite ESET's notification to the company about the potential threat.

The post Chinese Group Spreads Android Spyware Using Trojan Versions of Legit Apps appeared first on The Tech Report.