- This power bank is thinner than your iPhone and this Black Friday deal slashes 27% off the price
- New Levels, New Devils: The Multifaceted Extortion Tactics Keeping Ransomware Alive
- Elden Ring, 2022's Game of the Year, hits a record low price of $20 on Amazon for Black Friday
- This is the best car diagnostic tool I've ever used, and it's only $54 in this Black Friday deal
- This robot vacuum has a side-mounted handheld vacuum and is $380 off for Black Friday
Chinese APT Group GREF Use BadBazaar in Android Espionage
ESET researchers have exposed a sophisticated espionage tool named BadBazaar, which targets Android users through malicious versions of popular communication apps Signal and Telegram.
The tool is believed to be the work of the China-aligned APT group known as GREF. This group has been linked to previous cyber campaigns targeting Uyghurs and other Turkic ethnic minorities.
The two new campaigns are suspected to have been active since around July 2020 and July 2022, respectively. BadBazaar has been distributed through several channels, including the official Google Play store, Samsung Galaxy Store and dedicated websites posing as legitimate app sources. The malicious apps in question, Signal Plus Messenger and FlyGram were used as the vehicles for this espionage operation.
In a technical write-up released earlier today, ESET researchers have revealed the malware’s capabilities, including FlyGram’s data harvesting features encompassing basic device details, contact lists, call logs and Google Account data, along with limited access to specific Telegram-related data.
Signal Plus Messenger goes further, enabling attackers to clandestinely link compromised devices to their Signal accounts, granting them Signal communication access and showcasing their advanced tactics.
Read more on spyware tools: Android Spyware BouldSpy Linked to Iranian Government
Notably, the attackers utilized SSL pinning to protect the communication between the malicious apps and their command-and-control servers, making interception and analysis challenging for researchers. According to the ESET advisory, the campaigns targeted users across several countries, indicating a broad scope of victimology.
ESET’s immediate action led to the removal of malicious apps from Google Play, but distribution continues through the Samsung Galaxy Store, alternate app sources and dedicated websites.
In today’s ever-evolving digital landscape, the emergence of the BadBazaar threat underscores the need for heightened cybersecurity. Alongside standard practices like keeping devices updated and using trusted security solutions, users should exercise caution when downloading apps.
Verifying app developers, practicing good cyber-hygiene and maintaining a vigilant attitude towards potential threats contribute to a more robust defense against emerging cyber-risks.
Editorial image credit: Natee Meepian / Shutterstock.com