BadBazaar malware campaigns: ESET researchers have identified two active campaigns targeting Android users with BadBazaar malware, which is attributed to the China-aligned APT group GREF. The campaigns have been active since July 2020 and July 2022, respectively.
Trojanized Signal and Telegram apps: The campaigns distribute BadBazaar malware through malicious apps that mimic Signal and Telegram, called Signal Plus Messenger and FlyGram. The apps are available on Google Play, Samsung Galaxy Store, and dedicated websites. The apps can exfiltrate user data and spy on Signal communications.
Targeting Uyghurs and others: BadBazaar malware has previously been used to target Uyghurs and other Turkic ethnic minorities outside of China. FlyGram malware was also seen shared in a Uyghur Telegram group. ESET telemetry reported detections on Android devices from 16 countries.