China-Linked Android Spyware Targets Telegram and Signal Users in Europe and the US
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
Cybersecurity researchers discovered trojanized Android apps for Signal and Telegram used in a new espionage campaign. The apps found on Google Play and Samsung Galaxy Store are said to contain the BadBazaar spyware, attributed to the Chinese APT group GREF.
According to ESET researcher Lukáš Štefanko, the campaign distributing the malware espionage code was most likely active since July 2020 and 2022, respectively. To infiltrate targeted victims’ devices, GREF is said to have used pathed versions of the open-source Signal and Telegram app for Android, named ‘Signal Plus Messenger’ and ‘FlyGram’.
The spyware was previously documented being used against Uyghurs and other Turkic ethnic minorities outside of China. ‘’Based on our research, [..] potential victims were also lured to install the FlyGram app from a Uyghur Telegram group focused on Android app sharing, which now has more than 1,300 members,’’ Lukáš stated.
This time however, ESET found that the campaign was primarily targeted at users in Australia, Brazil, Denmark, the Democratic Republic of the Congo, Germany, Hong Kong, Hungary, Lithuania, the Netherlands, Poland, Portugal, Singapore, Spain, Ukraine, the US, and Yemen.
The espionage malware BadBazaar has the capability to extract device information, including contact and installed apps list, steal call logs and messages, Google accounts, remotely using the device camera to take pictures, transferring Telegram communication to an attacker controlled C2 server, and linking devices via the Signal Plus Messenger app.
Before the discovery of their malicious capability, the apps had been downloaded and installed over a hundred times. Based on the available data of Play Store, the apps:
- Signal Plus Messenger – installed 100+ times since July 2022, The app is also available for download via signalplus[.]org
- FlyGram – installed 5,000+ times since June 2020. The app is also available for download via flygram[.]org
When notified, Google removed both the apps from the Play Store, but they continue to be available on Samsung Galaxy Store.
New Android Trojan MMRat Targets Southeast Asia Users to Carry Out Bank Fraud
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
A new banking malware dubbed ‘’MMRat’’ was identified controlling devices remotely to exfiltrate data from targeted devices. The stealthy trojan was observed targeting users in Southeast Asia since June 2023.
In a published article Trend Micro disclosed that the malware which continues to avoid detection (on VirusTotal) can capture screenshots and user input. It also utilizes a customized command and control (C2) protocol based on rarely used protocol buffers (Protobuf) to boost performance when transferring large volumes of data.
While the mode of phishing link distribution to victims remains unclear, researchers believe that the malware is being distributed via websites disguised as official app stores.
The attack begins when a victim downloads and installs the dubious apps containing MMRat and grants the necessary permissions. ‘’To avoid suspicion, MMRat often masquerades as an official government or dating app, then presents a phishing website to victims upon being launched,’’ Trend Micro revealed.
On receiving the needed access, the malware starts communicating with the C2 servers to transfer large amounts of data from the victim’s device, including network data, installed apps, contacts, screen and battery data. This information is collected in a timely manner on account of the timer task set up by MMRat.
‘’We believe the goal of the threat actor is to uncover personal information to ensure the victim fits a specific profile. [..] contacts that meet certain geographical criteria or have a specific app installed,’’ the article revealed.
With the Accessibility permission enabled, the malware can modify settings and grant itself additional permissions. Its remote communication ability allows it to notify and grant access to the threat actor to unlock the device and commit bank fraud. It also helps the threat actor capture screenshots ‘’for server-side visualization of the device screen’’.
Post this, the malware has the capability to terminate itself, thereby removing all traces of itself from the system.
According to Trend Micro, the malware’s stealth screen recording and C2 server communication capability, enables the threat actors to live stream video data (device) while committing bank fraud.
The rising Android trojans makes it imperative for device owners to download software from reliable sources and be vigilant in granting accessibility permissions.
