A cyberespionage campaign is distributing spyware via trojanized Signal and Telegram apps on Google Play and Samsung Galaxy stores, ESET researchers revealed.

The campaign believed to be orchestrated by a China-linked threat actor known as Gref, has been ongoing since July 2023 and involves a sophisticated espionage tool named BadBazaar, which targets Android users via fake versions of popular communication apps Signal and Telegram called Signal Plus Messenger and FlyGram.

The BadBazaar malware has previously been used to target Uyghurs and other Turkic ethnic minorities.

The purpose of these malicious apps is to exfiltrate data from infected Android devices. FlyGram can steal basic device information and sensitive data, such as contact lists, call logs, and the list of Google Accounts. Though it is also able to extract some information and settings related to Telegram, this data doesn’t include the Telegram contact list, messages, or any other sensitive information.

Signal Plus Messenger collects similar device data and sensitive information but its main goal is to spy on the victim’s Signal communications. The app is capable of exfiltrating the Signal PIN that protects the Signal account and misuses the link device feature that allows users to link Signal Desktop and Signal iPad to their phones.

The observed attackers utilized SSL pinning to protect the communication between the malicious apps and their command-and-control servers, making interception and analysis challenging for researchers.

Infections were primarily detected in Australia, Brazil, Denmark, the Democratic Republic of the Congo, Germany, Hong Kong, Hungary, Lithuania, the Netherlands, Poland, Portugal, Singapore, Spain, Ukraine, the United States, and Yemen.

ESET says it reported both apps to Google and Samsung. Google removed the offending software from the Play Store, however, both apps are still available on the Samsung Galaxy Store.