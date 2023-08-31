ESET researcher Lukas Stefanko discovered trojanized Telegram and Signal apps distributing the BadBazaar spyware through the Google Play Store and Samsung Galaxy Store.

The malware — uploaded by the Chinese APT hacking group GREF — has previously been used to target minorities in China.

However, ESET’s data shows they now target users in Ukraine, Poland, the Netherlands, Spain, Portugal, Germany, Hong Kong, and the United States.

The malware can provide precise device location information, steal call logs and SMS, record phone calls, take pictures through the smartphone’s camera, export contact lists, and steal files or databases.

The Android apps that distribute the malware are called “Signal Plus Messenger” and “FlyGram”.

The malicious actors also created dedicated websites for the apps — signalplus.org and flygram.org — to make them seemingly more legitimate by offering direct download links and links to the Google Play Store.

FlyGram targets private data like contact lists, call logs, Google accounts, and Wi-Fi data while offering a backup feature that sends Telegram communication data to a server the attackers own.

ESET’s analysis revealed that more than 13,950 FlyGram users enabled the backup. However, the total number of users who downloaded the app remains unknown.

Signal Plus Messenger targets similar information, with a focus on extracting Signal communication data and the PIN that protects users’ accounts.

It also bypasses the QR-code-based device linking feature offered by Signal to link an attacker-controlled device to users’ accounts.

“BadBazaar, the malware responsible for the spying, bypasses the usual QR code scan and user click process by receiving the necessary URI from its C&C server, and directly triggering the necessary action when the Link device button is clicked,” says ESET.

“This enables the malware to secretly link the victim’s smartphone to the attacker’s device, allowing them to spy on Signal communications without the victim’s knowledge.”

However, users can confirm if unknown devices are linked to their account by launching the real Signal app, going to Settings, and selecting the “Linked Devices” option.

From there, they can view and manage linked devices.

