BadBazaar: Chinese Spyware Shams Signal, Telegram Apps

A phone home screen shows Signal and Telegram app iconsAfter sneaking into Google and Samsung app stores, “GREF” APT targets Uyghurs and other PRC minorities.

China stands accused of surveilling ethnic minorities using Trojan spyware in official app stores. The threat actor dubbed GREF is hiding the BadBazaar spyware inside cloned Signal and Telegram apps.

Google acted (slowly), but Samsung has failed to do anything. In today’s SB Blogwatch, we’re all about the déjà vu.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The Artist.

I’m Shocked. Shocked!

What’s the craic? Thomas Brewster reports—“Fake Signal App Was Planted On Google Play”:

Samsung has not yet taken any action
The hackers, dubbed … GREF, also released a version on Samsung’s Galaxy Store. The main aim of the fake Signal, which was called Signal Plus Messenger … is to spy on communications of the real app. [It] appears to be linked to a Chinese spy operation, researchers claimed.

Researcher Lukas Stefanko [says] the same code seen in Signal Plus Messenger was previously used to target Uyghurs. He found evidence that the same hacking crew also created a malicious Telegram app called Flygram. … Links to download the app was also shared in a Telegram group for Uyghurs. … The attacks were likely targeted [to] specific individuals.

While Google removed both apps, … Samsung has not yet taken any action, despite being notified back in May. … Signal president Meredith Whittaker [said], “We urge Samsung and others to move rapidly to remove this malware.”

And Bill Toulas adds—“Trojanized Signal and Telegram apps”:

Still available on the Samsung Galaxy Store
The BadBazaar spyware … was previously used to target ethnic minorities in China, but … this time, the attackers targeted users in Ukraine, Poland, the Netherlands, Spain, Portugal, Germany, Hong Kong, and the United States. BadBazaar’s capabilities include tracking the device’s precise location, stealing call logs and SMS, recording phone calls, taking pictures using the camera, exfiltrating contact lists, and stealing files or databases.

To figure out if rogue devices are linked to your Signal account, launch the real Signal app, go to Settings, and tap the “Linked Devices” option to view and manage all connected devices. … Signal Plus Messenger was uploaded on Google Play and Samsung Galaxy store in July 2022, and Google removed it on May 23, 2023. … Both apps [are] still available on the Samsung Galaxy Store.

Really? Really??? Let’s buy ArsScene a new keyboard:

really? you’d think samsung could afford some sort of 24/7/365 monitoring / response for breaking news like this. i guess most really big corporations have moved beyond the concept of professional embarrassment, but still pretty sloppy.

Horse’s mouth? ESET’s Lukas Stefanko—“BadBazaar espionage tool targets Android users”:

Unique to GREF
Based on code similarities, we can assign Signal Plus Messenger and FlyGram to the BadBazaar malware family, which has been previously used against Uyghurs and other Turkic ethnic minorities outside of China. … This aligns with the targeting of other Android trojans previously used by GREF.

To the best of our knowledge, [BadBazaar] is unique to GREF. … While several sources claim that GREF is associated with APT15, [we] do not have enough evidence to support that connection.


APT15? Jai Vijayan clarifies and classifies—thuswise:

BadBazaar is malware that some other vendors have attributed to China-based APT15, aka Vixen Panda and Nickel. Lookout, the first to report on the malware last November, identified BadBazaar as one in a collection of unique surveillance tools that the Chinese government used … both domestically and abroad.

Good thing this couldn’t happen on the Apple app store, right? macosandlinux hates to burst your bubble:

Not only the Google App Store. I found blatant theft of classic games on the Mac App Store by Chinese uploaders. The title and screenshots were/are from PopCap Games/EA, but they are still up, and #1 top selling in some regions. What a ****show these review teams are!

Who can remind us how to avoid such malware? Michael Kan can:

[It] is a reminder to make sure you’re downloading messaging apps from official sources. … To avoid such malware, it’s best to check the reviews for the app before downloading and installing an app.

Meanwhile, lithven would like to register a complaint: [You did Dead Parrot yesterday; you’re fired—Ed.]

If I had one complaint about Google it would be how slow or indifferent they are. … There’s an app my child’s school uses that is only available on the Apple app store. … There is a fraudulent copycat app on the Google play store—identical name, very slightly modified icon, and a deceptive description—that has been there since April 2022 and no amount of reporting it seems to matter.

And Finally:

It’s not about the money, the accolades, the respect or the fame

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Dimitri Karastelev (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 642 posts and counting.See all posts by richi