Chinese spies target Android users with fake Signal, Telegram apps

Two separate Chinese spy campaigns involving fake Signal and Telegram messaging apps targeting US and European Android users were discovered by ESET security researchers.

The research, released by ESET Wednesday, said a Chinese-linked threat group, known as GREF, created fake versions of the encrypted messaging apps and loaded them onto the Google Play and Samsung Galaxy Stores.

Hoping to lure unsuspecting Android users to download the apps on their phones, the Chinese hackers were said to have been actively deploying the malicious apps since July 2020 and July 2022, respectively.

It appears thousands of users have downloaded the trojanized apps – which the attackers named “Signal Plus Messenger” and “FlyGram,” created by mimicking the Signal application (signalplus[.]org) and a Telegram alternative app(flygram[.]org).

Through the use of telemetry, ESET said the fraudulent apps were detected on Android devices worldwide, with larger numbers found in the US, several EU nations, as well as Ukraine.

Other countries included Australia, Brazil, Singapore, the Democratic Republic of the Congo, and Yemen.

ESET Signal Map
Image by ESET

According to the ESET, the attackers were able to patch the Android versions of both the Signal And Telegram open-source apps with malicious code, now identified by the team as BadBazaar.

ESET researcher Lukáš Štefanko, who made the discovery, said the trojanized apps “provided victims a working app experience but with espionage happening in the background.”

“BadBazaar’s main purpose is to exfiltrate device information, the contact list, call logs, and the list of installed apps, and to conduct espionage on Signal messages by secretly linking the victim’s Signal Plus Messenger app to the attacker’s device,” Štefanko said.

The team said its the first “documented case of spying on a victim's Signal communications by auto-linking a compromised device” with a Control and Command server.

ESET Signal attack
Image by ESET

Fortunately for Telegram victims, unlike the Signal Plus Messenger, attackers did not have the ability to use the FlyGram app to link to a victim’s account.

This prevented the attackers from intercepting any encrypted communications, said ESET.

Unfortunately, the FlyGram app still allowed the attackers to access Telegram backups if the user had enabled that feature – added to the app by the attackers – on the account.

ESET said they found about 14K Telegram users had activated the feature.

ESET FlyGram App
Image by ESEST

Researchers believe GREF is responsible for the spy campaigns as the BadBazaar malware has previously been used against Uyghurs and other Turkic ethnic minorities outside of China – while links to FlyGram malware have also been seen in a Uyghur Telegram group.

China is known to commonly discriminate against those minority groups.

Besides sharing the same code, the research also found that “both apps were created by the same developer, shared the same malicious features, and the app descriptions on both stores refer to the same developer website.”

ESET Timeline
Image by ESET

Google has since removed both apps from the Play Store, but other dedicated websites could still be hosting the spy apps.

ESET is one of several Google App Defense Alliance partners, helping protect users by weeding out malware-infected apps made for Android mobile devices.