The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

BadBazaar Spyware Variants Delivered Via Trojanized Android Apps

Sep 11, 2023 3:07:00 PM / by The Hivemind

BADBAZAAR

Executive Summary

Two GREF espionage campaigns used trojanized Android apps to deliver BadBazaar spyware variants.

Key Takeaways

  • Two GREF espionage campaigns used trojanized Android apps to deliver BadBazaar spyware variants.
  • The threat actors used the trojanized Signal and Telegram apps Signal Plus Messenger and FlyGram to deliver the malware. 
  • The trojanized version of Signal Plus Messenger is the first documented case of successfully spying on a victim’s Signal communications by secretly linking the victim’s device to a threat actor-controlled device.

What is BadBazaar?

ESET recently reported on GREF espionage campaigns using trojanized Android apps to deliver BadBazaar spyware variants. GREF engaged in at least two such campaigns, one beginning around July 2020 and the other around July 2022. Infected devices were detected in various locations including Australia, Brazil, Denmark, the Democratic Republic of Congo, Germany, Hong Kong, Hungary, Lithuania, Netherlands, Poland, Portugal, Singapore, Spain, Ukraine, Yemen, and the US.

The threat actors used trojanized Signal and Telegram apps including Signal Plus Messenger and FlyGram, which were available on Google Play and Samsung Galaxy Store, to deliver BadBazaar. In addition to the apps being present on the office Google Play and Samsung Galaxy stores, the threat actors leveraged the domains signalplus[.]org and flygram[.]org to give the appearance of legitimacy. The apps have since been removed from Google Play but remained on the Samsung Galaxy Store as of the time of writing.

The trojanized version of FlyGram allows threat actors to access Telegram backups. It can also exfiltrate user data including basic device information, contacts, call logs, and a list of Google accounts.

ESET researchers noted the trojanized version of Signal Plus Messenger is the first documented case of successfully spying on a victim’s Signal communications by extracting the account’s Signal PIN number and secretly auto-linking the victim’s device to a threat actor-controlled device. It also collects device data and sensitive information.

Who is GREF?

GREF is a threat actor group believed to be aligned with Chinese interests. They have been observed engaging in espionage campaigns, primarily targeting the Uyghurs and other Turkic ethnic minorities. While some industry researchers link GREF to Vixen Panda (APT15), ESET stated they did not have enough evidence to definitively link the two groups.

IOCs

PolySwarm has multiple samples associated with these campaigns.

 

549d726fe2b775cfdd1304c2d689dfd779731336a3143225dc3c095440f69ed0

Daf3d2cb6f1bbb7c8d1cfb5fc0db23afc304a622ebb24aa940228be691bcda2d

58ccc0f239241cbcd023a5eb0800786a20df9303854e6365ac66b99038c76d72

 

You can use the following CLI command to search for all BadBazaar samples in our portal:

$ polyswarm link list -f BadBazaar

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 

Topics: Threat Bulletin, Espionage, Android, Mobile, BadBazaar, GREF

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More