Two GREF espionage campaigns used trojanized Android apps to deliver BadBazaar spyware variants.
- Two GREF espionage campaigns used trojanized Android apps to deliver BadBazaar spyware variants.
- The threat actors used the trojanized Signal and Telegram apps Signal Plus Messenger and FlyGram to deliver the malware.
- The trojanized version of Signal Plus Messenger is the first documented case of successfully spying on a victim’s Signal communications by secretly linking the victim’s device to a threat actor-controlled device.
What is BadBazaar?
ESET recently reported on GREF espionage campaigns using trojanized Android apps to deliver BadBazaar spyware variants. GREF engaged in at least two such campaigns, one beginning around July 2020 and the other around July 2022. Infected devices were detected in various locations including Australia, Brazil, Denmark, the Democratic Republic of Congo, Germany, Hong Kong, Hungary, Lithuania, Netherlands, Poland, Portugal, Singapore, Spain, Ukraine, Yemen, and the US.
The threat actors used trojanized Signal and Telegram apps including Signal Plus Messenger and FlyGram, which were available on Google Play and Samsung Galaxy Store, to deliver BadBazaar. In addition to the apps being present on the office Google Play and Samsung Galaxy stores, the threat actors leveraged the domains signalplus[.]org and flygram[.]org to give the appearance of legitimacy. The apps have since been removed from Google Play but remained on the Samsung Galaxy Store as of the time of writing.
The trojanized version of FlyGram allows threat actors to access Telegram backups. It can also exfiltrate user data including basic device information, contacts, call logs, and a list of Google accounts.
ESET researchers noted the trojanized version of Signal Plus Messenger is the first documented case of successfully spying on a victim’s Signal communications by extracting the account’s Signal PIN number and secretly auto-linking the victim’s device to a threat actor-controlled device. It also collects device data and sensitive information.
Who is GREF?
GREF is a threat actor group believed to be aligned with Chinese interests. They have been observed engaging in espionage campaigns, primarily targeting the Uyghurs and other Turkic ethnic minorities. While some industry researchers link GREF to Vixen Panda (APT15), ESET stated they did not have enough evidence to definitively link the two groups.
PolySwarm has multiple samples associated with these campaigns.
You can use the following CLI command to search for all BadBazaar samples in our portal:
$ polyswarm link list -f BadBazaar