Chinese APT Group GREF Use BadBazaar in Android Espionage

Written by

ESET researchers have exposed a sophisticated espionage tool named BadBazaar, which targets Android users through malicious versions of popular communication apps Signal and Telegram. 

The tool is believed to be the work of the China-aligned APT group known as GREF. This group has been linked to previous cyber campaigns targeting Uyghurs and other Turkic ethnic minorities.

The two new campaigns are suspected to have been active since around July 2020 and July 2022, respectively. BadBazaar has been distributed through several channels, including the official Google Play store, Samsung Galaxy Store and dedicated websites posing as legitimate app sources. The malicious apps in question, Signal Plus Messenger and FlyGram were used as the vehicles for this espionage operation.

In a technical write-up released earlier today, ESET researchers have revealed the malware’s capabilities, including FlyGram’s data harvesting features encompassing basic device details, contact lists, call logs and Google Account data, along with limited access to specific Telegram-related data. 

Signal Plus Messenger goes further, enabling attackers to clandestinely link compromised devices to their Signal accounts, granting them Signal communication access and showcasing their advanced tactics. 

Read more on spyware tools: Android Spyware BouldSpy Linked to Iranian Government

Notably, the attackers utilized SSL pinning to protect the communication between the malicious apps and their command-and-control servers, making interception and analysis challenging for researchers. According to the ESET advisory, the campaigns targeted users across several countries, indicating a broad scope of victimology.

ESET’s immediate action led to the removal of malicious apps from Google Play, but distribution continues through the Samsung Galaxy Store, alternate app sources and dedicated websites.

In today’s ever-evolving digital landscape, the emergence of the BadBazaar threat underscores the need for heightened cybersecurity. Alongside standard practices like keeping devices updated and using trusted security solutions, users should exercise caution when downloading apps. 

Verifying app developers, practicing good cyber-hygiene and maintaining a vigilant attitude towards potential threats contribute to a more robust defense against emerging cyber-risks.

Editorial image credit: Natee Meepian /

What’s hot on Infosecurity Magazine?