Friday, October 4, 2024
HomeCyber Security NewsBadBazaar Malware Attacking Android Users via Weaponized Telegram & Signal Apps

BadBazaar Malware Attacking Android Users via Weaponized Telegram & Signal Apps

Published on

The Android BadBazaar malware is being distributed through the Google Play store, Samsung Galaxy Store, and dedicated websites mimicimg Signal Plus Messenger and FlyGram malicious applications.

These active campaigns are connected to the China-aligned APT organization known as GREF. Uyghurs and other Turkic ethnic minorities have historically been the target of the spyware known as BadBazaar.

The BadBazaar malware family has already been targeted, and the FlyGram malware was also observed being spread in a Uyghur Telegram channel.

- Advertisement - EHA

According to ESET researchers, Germany, Poland, the U.S., Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain, and Yemen are the countries where victims have been found most often.

Specifics of the Attack

Researchers found active Android campaigns where malicious apps with the names Signal Plus Messenger and FlyGram were uploaded and disseminated through the Google Play store, Samsung Galaxy Store, and specific websites, imitating the Signal app (signalplus[.]org) and a Telegram alternative app (flygram[.]org).

The primary objective of BadBazaar is to steal device information such as the contact list, call logs, and the list of installed applications, as well as to spy on Signal conversations by secretly attaching the victim’s Signal Plus Messenger app to the attacker’s mobile device.

BadBazaar Figure_01
Signal Plus Messenger is available on Google Play (left) and Samsung Galaxy Store (right)

FlyGram can specifically extract not just sensitive data like contact lists, phone logs, and a list of Google Accounts but also basic device information. 

Additionally, the malware can exfiltrate some Telegram-related data and settings; researchers say this data excludes the Telegram contact list, messages, and any other sensitive data.

“If users enable a specific FlyGram feature that allows them to back up and restore Telegram data to a remote server controlled by the attackers, the threat actor will have full access to these Telegram backups, not only the collected metadata,” according to report shared with Cyber Security News.

Linking the victim’s Signal communications to the attacker

Every newly created user account receives a special ID from the server. This ID has a sequential pattern, which shows that at least 13,953 FlyGram accounts have this feature turned on.

Similar device data and private information are gathered by Signal Plus Messenger, but its primary objective is to track the victim’s Signal communications.

It may obtain the Signal PIN that secures the Signal account and abuses the link device feature, which enables users to link Signal Desktop and Signal iPad to their phones.

“Malicious code from the BadBazaar family was hidden in trojanized Signal and Telegram apps, which should provide victims a working app experience (without reason to remove it) but with espionage happening in the background”, researchers said.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...