Title: Malicious Android Apps Spreading Spyware Targeting Secure Messaging Platforms Discovered on Google Play Store and Samsung Galaxy Store
In a concerning development, cybersecurity firm ESET has uncovered a series of malicious Android apps that have been infecting devices with spyware. The apps in question primarily target popular secure messaging platforms Signal and Telegram and have been distributed through the Google Play Store, Samsung Galaxy Store, and dedicated websites.
ESET has attributed this campaign to a China-linked actor named GREF, a group known for their cyber espionage activities. According to reports, the campaigns have been active since July 2020 and July 2022, respectively. This indicates a long-term and sustained effort to compromise user devices and extract sensitive information.
Initial victims of this spyware were primarily detected in Germany, Poland, and the United States, although other countries may also be affected. The spyware, known as BadBazaar, was first documented targeting the Uyghur community in China. Its main purpose is to exfiltrate device information and conduct espionage on Signal messages, raising concerns about privacy and security.
Interestingly, the rogue Android apps responsible for spreading the spyware were never published on the official Google Play Store. However, they were available on the Samsung Galaxy Store, despite being taken down from Google’s app storefront. This raises questions about the effectiveness of app store security measures and highlights the need for more robust vetting processes to protect users.
Potential victims have reportedly been tricked into installing these malicious apps from a Uyghur Telegram group. Two specific apps, Signal Plus Messenger and FlyGram, have been found to collect and exfiltrate sensitive user data. Moreover, Signal Plus Messenger even allows covert surveillance of Signal communications.
FlyGram, on the other hand, implements SSL pinning, a technique that evades analysis by security researchers. Shockingly, over 13,953 users fell victim to the spyware by installing FlyGram and activating the Cloud Sync feature.
ESET is actively tracking GREF as a separate cluster and continues to investigate the extent of the espionage campaign. Users are encouraged to remain vigilant and update their devices with the latest security patches. It is crucial to download apps only from trusted sources and exercise caution while joining online groups or communities.
The discovery of these malicious apps serves as a reminder that even seemingly legitimate platforms can harbor hidden threats. As the digital landscape continues to evolve, users must remain proactive in safeguarding their privacy and security.
“Prone to fits of apathy. Devoted music geek. Troublemaker. Typical analyst. Alcohol practitioner. Food junkie. Passionate tv fan. Web expert.”