Trojanized Signal and Telegram apps on Google Play and Samsung Galaxy Store delivered spyware

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,672
Trojanized Signal and Telegram apps containing the BadBazaar spyware were uploaded onto Google Play and Samsung Galaxy Store by a Chinese APT hacking group known as GREF.

This malware was previously used to target ethnic minorities in China, but ESET's telemetry shows that this time, the attackers target users in Ukraine, Poland, the Netherlands, Spain, Portugal, Germany, Hong Kong, and the United States.

BadBazaar's capabilities include tracking the device's precise location, stealing call logs and SMS, recording phone calls, taking pictures using the camera, exfiltrating contact lists, and stealing files or databases.
FlyGram was uploaded on Google Play in July 2020, and it was removed on January 6, 2021, having amassed a total of 5,000 installations through that channel.

Signal Plus Messenger was uploaded on Google Play and Samsung Galaxy store in July 2022, and Google removed it on May 23, 2023.

At the time of writing this, BleepingComputer confirmed that both apps were still available on the Samsung Galaxy Store.

Android users are recommended to use the original versions of Signal and Telegram and avoid downloading fork apps that promise enhanced privacy or additional features, even if those are available on official app stores.
 

cartaphilus

Level 5
Mar 17, 2023
202
And once again we have exact proof that China would never ever support Russia over their invasion of Ukraine. Nope never.

The knowledge of exact location of Ukrainian users who employ signal and telegram in order to communicate is just an accidental finding.
 

Sandbox Breaker

Level 9
Verified
Well-known
Jan 6, 2022
436
Typical AV isn't working on Android. With the wave of recent evasion and packing tactics to bypass signatures and even static ML... Dynamic analysis solutions are the way to go.

Check Point Harmony Mobile sandboxes and does alot of post execution analysis that also uses Kaspersky,Sophos, Cisco feeds.

Not sure if there are other solutions out there like it at the moment. This also applies to not just APKs but documents and all support TE extensions. I'm sure @Trident would have more to say on this also.
 

cartaphilus

Level 5
Mar 17, 2023
202
Typical AV isn't working on Android. With the wave of recent evasion and packing tactics to bypass signatures and even static ML... Dynamic analysis solutions are the way to go.

Check Point Harmony Mobile sandboxes and does alot of post execution analysis that also uses Kaspersky,Sophos, Cisco feeds.

Not sure if there are other solutions out there like it at the moment. This also applies to not just APKs but documents and all support TE extensions. I'm sure @Trident would have more to say on this also.
The only problem I have with Harmony Protect which I am running is the need to become a VPN. Which then kicks off my AdGuard and also it's impossible to use Android Auto with Harmony Protect on (due to the VPN requirement)

Edit: and the initial scan takes a Loooong time
 
Last edited:

VladDracul

Level 7
Verified
Well-known
Sep 28, 2011
318
Well not to brag,but I am glad that I am using ESET on my POCO F3.I always purchase 2 years license and in fact,AFAIK it's the only AV for Android that scans traffic on the Kiwi browser that i'm using as my main browser.
 

cartaphilus

Level 5
Mar 17, 2023
202
Well not to brag,but I am glad that I am using ESET on my POCO F3.I always purchase 2 years license and in fact,AFAIK it's the only AV for Android that scans traffic on the Kiwi browser that i'm using as my main browser.
I tried a Kiwi browser once but then I was attacked by a great white shark followed by Sydney funnel web spider, some drop bears and finally I accidentally wiped my tucus and front region with the leaves from the Gimpy-Gimpy plant.... oh by the way does anyone know what is the fastest exit out of this timeline?

Edit: wiping your tucus with an Gimpy-Gimpy plant actually did happen. The guy lasted a few days before offing himself in order to end the pain. (Or so I read: it might be a yarn though)


By the way I like this part in Harmony Protect
Screenshot_20230831-002928.png
Screenshot_20230831-002918.png
Screenshot_20230831-002908.png
 
Last edited:
  • Like
  • Wow
Reactions: Nevi and piquiteco

piquiteco

Level 14
Oct 16, 2022
626
Well not to brag,but I am glad that I am using ESET on my POCO F3.I always purchase 2 years license and in fact,AFAIK it's the only AV for Android that scans traffic on the Kiwi browser that i'm using as my main browser.
I recommend using an AV on android for anyone, whether they're a layperson or not, preferably paid AVs. I'll summarize an experience I had last month that I didn't get to share here on MT, which happened to my mother on her samsung M12 android smartphone. She doesn't know anything about technology, even to search for things on Youtube she uses OK google and says she's going to search, she doesn't know what a store is, the apps are updated automatically, if she needs to install something, she won't know, she'll have to call me, my brother or ask someone who knows how to install it for her. So, now you know, as well as being a layperson, she's a bit older and unfamiliar with technology, and all this together makes it difficult to learn these things. I installed Bitdefender Mobile Security on her device, and it had been installed for about 5 months. Last month she told me that she was receiving an alert on her cell phone, I said what's the alert, she told me when it appears I'll show you, I said okay, after about 15 minutes she called me and said this alert keeps appearing, I took her smartphone and looked at it, Bitdefender Mobile Security is highlighted in red, I went to check the Bitdefender notification and it said that it had 2 malware and needed user action to remove the threat. Before I removed these 2 malware I went to check what it was, it was similar to this 0912345679066546472310.apk with a bunch of random numbers and two of these apks installed, before I removed it I opened google play did a scan with Google Play Protect and found nothing and then did a scan again by Bitdefender and in the end only found these two apks with random numbers .apk, taking a quick look at the android settings in known sources was disabled, I looked in the lists installed apps and also did not find, it is as if the app is installed and remained hidden from the user. I don't know how these malware-infected apks ended up on my mother's phone. The probable cause, I presume, must be the ads on Youtube which I believe to be Malvertising must be some ad that she ended up playing and ended up installing. The Youtube app for android is full of ads, below are those app buttons that try to promote like those click here, tap here buttons lol, the person ends up tapping unintentionally or ends up installing induced by so many ads. I removed the 2 pieces of malware and then the phone was clean, no suspicious activity on my mom's google account and no trace left on the phone. That was my experience of malware on android. ;)
 

cartaphilus

Level 5
Mar 17, 2023
202
I recommend using an AV on android for anyone, whether they're a layperson or not, preferably paid AVs. I'll summarize an experience I had last month that I didn't get to share here on MT, which happened to my mother on her samsung M12 android smartphone. She doesn't know anything about technology, even to search for things on Youtube she uses OK google and says she's going to search, she doesn't know what a store is, the apps are updated automatically, if she needs to install something, she won't know, she'll have to call me, my brother or ask someone who knows how to install it for her. So, now you know, as well as being a layperson, she's a bit older and unfamiliar with technology, and all this together makes it difficult to learn these things. I installed Bitdefender Mobile Security on her device, and it had been installed for about 5 months. Last month she told me that she was receiving an alert on her cell phone, I said what's the alert, she told me when it appears I'll show you, I said okay, after about 15 minutes she called me and said this alert keeps appearing, I took her smartphone and looked at it, Bitdefender Mobile Security is highlighted in red, I went to check the Bitdefender notification and it said that it had 2 malware and needed user action to remove the threat. Before I removed these 2 malware I went to check what it was, it was similar to this 0912345679066546472310.apk with a bunch of random numbers and two of these apks installed, before I removed it I opened google play did a scan with Google Play Protect and found nothing and then did a scan again by Bitdefender and in the end only found these two apks with random numbers .apk, taking a quick look at the android settings in known sources was disabled, I looked in the lists installed apps and also did not find, it is as if the app is installed and remained hidden from the user. I don't know how these malware-infected apks ended up on my mother's phone. The probable cause, I presume, must be the ads on Youtube which I believe to be Malvertising must be some ad that she ended up playing and ended up installing. The Youtube app for android is full of ads, below are those app buttons that try to promote like those click here, tap here buttons lol, the person ends up tapping unintentionally or ends up installing induced by so many ads. I removed the 2 pieces of malware and then the phone was clean, no suspicious activity on my mom's google account and no trace left on the phone. That was my experience of malware on android. ;)
Excuse me if I suffer from a cough. But I would recommend that you install the following for your mom. I did that for my mom and dad both on their droid phones and their Chromebooks.


Cough YouTube revanced cough
Cough STN beta cough same as above but different fork and less known so less likely to be quickly adapted against
Cough newpipe cough

Cough PM or AM me for the URL location if you can't find it yourself. Or I can email you the apk if you don't find it
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top