Gandalf_The_Grey
Level 81
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,023
Trojanized Signal and Telegram apps containing the BadBazaar spyware were uploaded onto Google Play and Samsung Galaxy Store by a Chinese APT hacking group known as GREF.
This malware was previously used to target ethnic minorities in China, but ESET's telemetry shows that this time, the attackers target users in Ukraine, Poland, the Netherlands, Spain, Portugal, Germany, Hong Kong, and the United States.
BadBazaar's capabilities include tracking the device's precise location, stealing call logs and SMS, recording phone calls, taking pictures using the camera, exfiltrating contact lists, and stealing files or databases.
FlyGram was uploaded on Google Play in July 2020, and it was removed on January 6, 2021, having amassed a total of 5,000 installations through that channel.
Signal Plus Messenger was uploaded on Google Play and Samsung Galaxy store in July 2022, and Google removed it on May 23, 2023.
At the time of writing this, BleepingComputer confirmed that both apps were still available on the Samsung Galaxy Store.
Android users are recommended to use the original versions of Signal and Telegram and avoid downloading fork apps that promise enhanced privacy or additional features, even if those are available on official app stores.
Trojanized Signal and Telegram apps on Google Play delivered spyware
Trojanized Signal and Telegram apps containing the BadBazaar spyware were uploaded onto Google Play and Samsung Galaxy Store by a Chinese APT hacking group known as GREF.
www.bleepingcomputer.com