Security News > 2023 > August > China-Linked BadBazaar Android Spyware Targeting Signal and Telegram Users

Cybersecurity researchers have discovered malicious Android apps for Signal and Telegram distributed via the Google Play Store and Samsung Galaxy Store that are engineered to deliver the BadBazaar spyware on infected devices.

Slovakian company ESET attributed the campaign to a China-linked actor called GREF. "Most likely active since July 2020 and since July 2022, respectively, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites representing the malicious apps Signal Plus Messenger and FlyGram," security researcher Lukáš Štefanko said in a new report shared with The Hacker News.

BadBazaar was first documented by Lookout in November 2022 as targeting the Uyghur community in China with seemingly benign Android and iOS apps that, once installed, harvests a wide range of data, including call logs, SMS messages, locations, and others.

Beyond these distribution mechanisms, it's said that potential victims have also been likely tricked into installing the apps from a Uyghur Telegram group focused on sharing Android apps.

Both Signal Plus Messenger and FlyGram are designed to collect and exfiltrate sensitive user data, with each app dedicated to also amassing information from the respective apps they mimic: Signal and Telegram.

"BadBazaar's main purpose is to exfiltrate device information, the contact list, call logs, and the list of installed apps, and to conduct espionage on Signal messages by secretly linking the victim's Signal Plus Messenger app to the attacker's device," Štefanko said.

News URL

https://thehackernews.com/2023/08/china-linked-badbazaar-android-spyware.html