ESET experts detected espionage attacks on Android users by the Chinese APT group GREF. These campaigns, likely operational since around July 2020 and July 2022, have been spreading the BadBazaar Android spyware using platforms such as Google Play, Samsung Galaxy Store, and fake websites.
Diving into details
- FlyGram could gather both basic device details and more sensitive information such as contact lists, call records, and the list of Google Accounts.
- Furthermore, the app can transfer certain Telegram-related data and settings; although, this information doesn't encompass Telegram contact lists, messages, or any confidential data.
- In contrast, Signal Plus Messenger acquired comparable device data and sensitive details, however, its primary focus is on monitoring the user's Signal conversations.
- It could obtain the Signal PIN, which safeguards the Signal account, and exploits the feature that lets users connect Signal Desktop and Signal iPad with their mobile devices.
Attribution
- There are notable resemblances in the code among samples of Signal Plus Messenger, FlyGram, and the BadBazaar malware. This was linked to the GREF cluster of APT15.
- Furthermore, the FlyGram app employed a Uyghur Telegram group to distribute itself, which corresponds with the targeting pattern observed in previous Android trojans used by GREF, namely, BadBazaar, SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle.
The bottom line
ESET's discovery exposes two Android campaigns linked to Chinese actors. Since these spread the BadBazaar spyware via Samsung Galaxy Store, alternative app stores, and dedicated websites, mitigation includes cautious app selection, avoiding suspicious sources, and maintaining up-to-date security measures.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/dc08_shutterstock_2190600601.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/35c6_shutterstock_1065428879.jpg)
