Image: Unsplash

China-linked hackers spy on Android users through fake messenger apps

Suspected China-linked hackers are targeting Android users with spyware to steal data and eavesdrop on their messages, according to new research.

Attackers in two active campaigns planted ‘BadBazaar’ malware in fake Signal and Telegram apps distributed through official app stores, including the Google Play store and the Samsung Galaxy store, according to research published Wednesday by cybersecurity firm ESET. The malware has been used in the past by a China-aligned hacking group known as GREF.

The malicious apps — called Signal Plus Messenger and FlyGram — were designed to steal user data, including device information, the list of installed apps, as well as sensitive data, such as contact lists and call records.

The hackers could also gain full access to Telegram backups if the user enabled a specific feature added by the hackers. This feature was activated by at least 13,953 user accounts, the researchers said.

The malicious Signal Plus Messenger spied on a victim's Signal messages by secretly connecting the compromised device to the attacker's device. It could do this by bypassing the usual QR-code linking process used to connect multiple devices to one account.

Following ESET’s investigation, Google removed the malicious apps from Google Play. Both apps are still available on the Samsung Galaxy Store — the company did not immediately respond to a request for comment.

The campaigns’ victims are located all over the world — in Australia, Brazil, Denmark, Germany, Hong Kong, Poland, Portugal, Singapore, Spain, Ukraine, and the U.S.

Some of the victims belong to the Uyghur ethnic group in China, the researchers said. They were lured to install the malicious FlyGram app from a Uyghur Telegram group, which now has more than 1,300 members.

BadBazaar malware has previously been used to target Uyghurs and other Turkic ethnic minorities, according to ESET.

The Signal Plus Messenger and FlyGram campaigns have been active since at least July 2020 and July 2022, respectively, according to ESET.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.