Sham Signal App Tied to China Raises Alarms
You're using your smartphone, scrolling through your favorite apps, sending messages, and staying connected. But what if some of those innocent-looking apps are not what they seem?
Picture this: You're using a messaging app like Signal to chat with your friends and family. You download what you believe is the official Signal app from the app store, but little do you know, it is actually a counterfeit version created by hackers!
This fake app mimics the real one, so you won't suspect a thing…
The last thing we want to worry about is whether the apps we're downloading could be secretly spying on us. However, a recent investigation by researcher Lukas Stefanko at ESET, a Slovakian cybersecurity company, has unveiled a disturbing reality: A sophisticated espionage scheme orchestrated by a China-aligned APT (Advanced Persistent Threat) group known as “GREF”.
This group has been deploying a devious piece of malware named “BadBazaar” that targets Android users through fake versions of popular messaging apps, including Signal and Telegram. These malicious versions, named “Signal Plus Messenger” and “FlyGram,” were cunningly designed to resemble the legitimate apps so closely that unsuspecting users wouldn't bat an eye.
In fact, at least one of these apps is still available in the Samsung Galaxy Store as of this writing, despite having been reported by ESET.
(Author’s Note: This is a negative signal about the health of Samsung’s information security ecosystem. The app should be down by now.)
The primary targets of these malicious apps are identified as Uyghur Muslims, a minority group that has been subjected to widespread repression and surveillance by the Chinese government.
This revelation underscores the broader trend of state-sponsored surveillance targeting vulnerable communities in China.
In fact, Hacking, but Legal recently covered the case of Naomi “Sexy Cyborg” Wu and the broader nexus of surveillance and the status of individuals identifying as LGBTQ in China. Wu, a lesbian living in Shenzhen who is partnered with a Uyghur Muslim named Kaidi, bravely spoke up on Twitter (which is banned in China) from her popular account @RealSexyCyborg, about security issues associated with the Signal app and its use by Chinese activists. However, her advocacy came at a cost—Chinese police recently paid her a chilling visit, specifically noting her tweets about Signal and threatening imprisonment if she didn't sign a confession and cease her efforts.
These malicious apps were cleverly designed to look innocent, making it hard for people to spot the danger. While going through the process of placing apps into a legitimate app store is a type of watering hole attack, it is also possible these apps further enabled the perpetrators to send links to targeted individuals which appeared safe (“Download this messenger so we can speak securely!”), or to perform '“man in the middle” style network interceptions in which a victim thought they were downloading the right app, but still ended up with the fake.
The implications of this discovery are grave.
Once you are unintentionally infected with a fake app like this, or any app containing similarly malicious code, it's like inviting a spy into your phone. It can collect all sorts of information without you even realizing it. It knows your location, the other apps you have on your phone, who you've been speaking to, and more. It's like someone (in this case, a repressive government seeking to control its citizens by any means necessary) peeking into your life without your permission whenever they like.
BadBazaar can covertly extract an array of personal data from victims' phones, including call logs, contact lists, and even sensitive information linked to Telegram. But the trickery doesn't stop there.
The state-sponsored hackers behind these fake apps have a bonus trick up their sleeves: They secretly link your compromised device to their own Signal account.
That means they can see the messages you're sending and receiving on Signal, even if you're trying to keep your conversations private. This autolinking maneuver enables the hackers to monitor Signal communications without detection, and is particularly alarming because it appears to be the first time something like this has been publicly documented.
Attribution by ESET to the China-aligned APT group GREF adds another layer of complexity to this disturbing saga. (“Advanced Persistent Threat”, or APT, is cybersecurity industry shorthand for a state-sponsored hacking organization.)
GREF has been previously linked to various Android trojans (deceptive malware), highlighting its persistence in compromising individuals' privacy for ulterior motives. While various key sources point to a likely connection between GREF and APT15 (a.k.a. Ke3chang, MirageFox, Vixen Panda, Playful Dragon, NICKEL), ESET researchers refrain from making this linkage in their latest report, emphasizing GREF's current independent identity in their own actor taxonomy.
However, the influential U.S. government think tank MITRE associates GREF and APT15 directly, and describes them as having “targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.”
It is important to note that malware research teams often have differing standards regarding evidence needed to reach conclusive attributions, and this remains a common point of debate within the threat intelligence industry.
The tale of BadBazaar finds its origins in the depths of a 2020 whitepaper issued by the threat intelligence team at security company Lookout (whose mobile business was recently sold to F-Secure for $223m), which named BadBazaar and uncovered how it operated as an Android surveillance tool, donning the guise of seemingly harmless apps – battery managers, video players, messaging apps, and more. Behind this facade of normalcy lay a malevolent purpose: to surreptitiously infiltrate the devices of Uyghur individuals and covertly harvest sensitive information.
Lookout’s report further integrated context from a 2019 discovery by researchers at The Citizen Lab, which had previously unearthed a related tool—the malware MOONSHINE—which targeted Tibetan activists to facilitate data collection, phone call recording, file theft, and more. These researchers described the activity as the “first documented case of one-click mobile exploits used to target Tibetan groups.”
A senior threat researcher at Lookout said in 2022 that the earliest samples of this particular malware date all the way back to 2018, and suggested the software was evolving as the perpetrators had both introduced new functionality and were “trying to do a better job of hiding where all of the malicious functionality actually lives within the source code.”
The tech publication ZDNET further highlighted that Lookout’s own report suggested a Chinese defense contractor may ultimately be responsible for the development and deployment of this malware.
Now, fast forward to ESET's recent technical exposé, and the threads start weaving together. The malicious apps “Signal Plus Messenger” and “FlyGram”, flagged as bearers of “BadBazaar” by ESET, follow a similar intricate pattern unveiled in previous research. These counterfeit apps infiltrated legitimate app stores and sometimes employed dedicated websites for their deceptive distribution.
The perpetrators have not simply relied on past successes, but have actively adapted and upgraded their methods. ESET's recent findings regarding sham Signal apps demonstrate the continued refinement and expansion of China's digital surveillance toolkit, adding to the grim tapestry of persistent threats targeting Uyghurs.
Despite growing international pressure, Chinese threat actors operating on behalf of the Chinese state are likely to continue to distribute surveillanceware targeting Uyghur and Muslim mobile device users through Uyghur-language communications platforms.
The wide distribution of both BadBazaar and MOONSHINE, and the rate at which new functionality has been introduced indicate that development of these families is ongoing and that there is a continued demand for these tools.
—Lookout, November 10, 2022
The common thread binding these events is the Chinese Communist Party’s relentless persistence in exerting its power and resources to access private data, monitor communications, and conduct surveillance, with the ultimate goal of exerting total control, mind and body, over its citizens.
The author tips her hat to @RayRedacted and @sickcodes.