Endpoint Security , Fraud Management & Cybercrime , Social Engineering

Chinese APT Uses Fake Messenger Apps to Spy on Android Users

The Trojanized Apps Impersonate Signal and Telegram
Chinese APT Uses Fake Messenger Apps to Spy on Android Users
Chinese flags on barbed wire wall in Kashgar, Xinjiang, China (Image: Shutterstock)

Hackers aligned with Chinese interests are targeting Android users with fake encrypted chat apps Trojanized with espionage capabilities in separate and ongoing campaigns, one active since July 2020 and the other for more than 12 months.

See Also: OnDemand Webinar | Hacking Biometrics: If You Thought Your Fingerprints Were Safe, Think Again!

Researchers at Eset on Wednesday attributed the campaigns to a threat group tracked as Gref, which overlaps with activity also ascribed to groups including APT15, Vixen Panda and Ke3chang.

Chinese hackers impersonated the Signal and Telegram apps on Google Play and Samsung Galaxy Store through apps representing themselves as "Signal Plus Messenger" and "FlyGram." The apps contained BadBazaar spyware - malicious code previously used to target Uyghurs and other Turkic ethnic minorities in China. "To the best of our knowledge, this malware family is unique to Gref," Eset wrote. Code analysis of the two Trojanized apps revealed similarities in class names and code responsible for data exfiltration.

Eset said its telemetry shows infections mainly in Poland and Germany but also in countries as far apart as Brazil and Australia. Gref lured some victims into installing the FlyGram app by touting it in a Uyghur Telegram group focused on Android app sharing that has more than 1,300 members, Eset wrote. Beijing closely surveils the Uyghur diaspora in a bid to intimidate members who speak out against ongoing repression in the Xinjiang Uyghur Autonomous Region. The United States accuses the Chinese government of committing genocide and crimes against humanity against Uyghurs.

The apps exfiltrate information including contact lists, call logs, a list of Google accounts, device location and a list of installed apps. The fake Signal app gets around security protections by stealing the Signal PIN and autolinking the compromised device to the attacker's Signal device.

Google removed the fake Signal app from its Play store on May 23 and FlyGram hasn't been available on the official Android app store since January 2021. Eset said Samsung didn't respond to its report about the malicious apps and they remained available on the Samsung Galaxy Store as of publication. As of Thursday evening, they appear to be unavailable on the Samsung site.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.