Endpoint Security
,
Fraud Management & Cybercrime
,
Social Engineering
Trojanized Apps Impersonate Signal and Telegram
Hackers aligned with Chinese interests are targeting Android users with fake encrypted chat apps Trojanized with espionage capabilities in separate and ongoing campaigns, one active since July 2020 and the other for more than 12 months.
See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense
Researchers at Eset on Wednesday attributed the campaigns to a threat group tracked as Gref, which overlaps with activity also ascribed to groups including APT15, Vixen Panda and Ke3Chang.
Chinese hackers impersonated the Signal and Telegram apps on Google Play and Samsung Galaxy Store through apps representing themselves as “Signal Plus Messenger” and “FlyGram.” The apps contained “BadBazaar” spyware – malicious code previously used to target Uyghurs and other Turkic ethnic minorities in China. “To the best of our knowledge, this malware family is unique to Gref,” Eset wrote.
Code analysis of the two Trojanized apps revealed similarities in class names and code responsible for data exfiltration.
Eset said its telemetry shows infections mainly in Poland and Germany but also in countries as far apart as Brazil and Australia. Gref lured some victims into installing the FlyGram app by touting it in a Uyghur Telegram group focused on Android app sharing that has more than 1,300 members, Eset wrote. Beijing closely surveils the Uyghur diaspora in a bid to intimidate members from speaking out against ongoing repression in the Xinjiang Uyghur Autonomous Region. The United States accuses the Chinese government of committing genocide and crimes against humanity against Uyghurs.
The apps exfiltrate information including contact lists, call logs, a list of Google accounts, device location and a list of installed apps. The fake Signal app gets around security protections by stealing the Signal PIN number and autolinking the compromised device to the attacker’s Signal device.
Google removed the fake Signal app from its Play store on May 23 and FlyGram hasn’t been available on the official Android app store since January 2021. Eset said Samsung didn’t respond to its report about the malicious apps and they remained available on the Samsung Galaxy Store as of publication. As on Thursday evening, they appear to be unavailable on the Samsung site.