Trojanized Android messaging apps used for BadBazaar spyware distribution

China-linked threat actor GREF has leveraged trojanized Telegram and Signal messaging apps available in the Google Play Store and Samsung Galaxy Store to facilitate the delivery of BadBazaar spyware, according to The Hacker News. Android device users in the U.S., Germany, and Poland have been primarily impacted by the BadBazaar spyware campaign using the FlyGram and Signal Plus Messenger apps, which commenced in July 2022, a report from ESET revealed. Aside from exfiltrating enabling sensitive user data exfiltration, both trojanized apps infiltrate backups and PINs. Further examination showed that FlyGram also bypasses analysis through SSL pining, while Signal Plus Messenger allows attackers to connect impacted devices with their Signal account. "BadBazaar's main purpose is to exfiltrate device information, the contact list, call logs, and the list of installed apps, and to conduct espionage on Signal messages by secretly linking the victim's Signal Plus Messenger app to the attacker's device," said researcher Lukas Stefanko.