Chinese APT Uses Fake Messenger Apps to Spy on Android Users

Chinese APT Uses Fake Messenger Apps to Spy on Android Users

In the coming years, Signal’s applications became compromised, while Telegram, containing the BadBazaar spyware, was uploaded to Google Play and Samsung Galaxy Store by the Chinese hacking group known as GREF.

In the past, this malware was employed to target ethnic minorities in China. However, ESET reports a shift in focus, with attackers now aiming at users in countries including Ukraine, Poland, the Netherlands, Spain, Portugal, Germany, Hong Kong, and the United States.

BadBazaar spyware

The BadBazaar spyware boasts a range of capabilities, such as pinpointing the device’s precise location, pilfering files, recording calls and SMS messages, capturing phone conversations, acquiring photos from the camera, and absconding with contact lists, files, or databases.

The trojanized applications containing the BadBazaar malicious code were discovered by ESET researcher, Lukas Stefanko.

The Chinese team has introduced two apps named “Signal Plus Messenger” and “FlyGram,” which are modified versions of the popular open-source instant messaging apps Signal and Telegram.

Interestingly, hackers have established dedicated websites, “signalplus[.]org” and “flygram[.]org,” to enhance the legitimacy of these apps. These websites provide links for installing the apps either from Google Play or directly from the site.

According to ESET, the FlyGram app is designed to target sensitive data, including contact lists, call logs, Google accounts, and WiFi data. Additionally, it features a hazardous backup function that transmits Telegram communication data to a server under the control of the attackers.

Examination of the available data reveals that a minimum of 13,953 FlyGram users have activated the backup feature. Nevertheless, the precise user count for the spyware application remains unknown.

On the other hand, the Signal clone collects similar information, but focuses more on extracting information related to Signal, such as victim’s communications and the PIN protecting their account from unauthorized access.

However, the fake Signal app includes a feature that makes it attack more interesting as it allows the attacker to link a victim’s Signal accounts to devices controlled by them (the invaders). So they can see future messages.

Signal offers a QR-code-based feature enabling multiple devices to connect to a single account, allowing messages to be accessible from all connected devices.

Signal Plus Messenger with BadBazaar spyware exploits this feature by automatically linking its devices to victims’ Signal accounts, bypassing the QR-code process without their knowledge. This enables attackers to monitor all future messages sent from the Signal account.

The spyware discreetly establishes a connection between the victim’s smartphone and the attacker’s device, allowing the attacker to eavesdrop on Signal communications without the victim’s awareness.

ESET has reported that this method of spying on Signal has been employed previously, as it is the sole means of accessing the message content.

To determine if someone has accessed your Signal account, launch the official Signal app, navigate to Settings, and select “Linked Devices” to inspect and oversee all connected devices.


For Android users, it is strongly recommended to utilize the official Signal and Telegram versions to ensure their safety from potential risks.

Spyware infections can result in significant breaches of user privacy and security, underscoring the importance of prevention and early detection measures.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!