Badbazaar

Malware updated 25 days ago (2024-08-14T09:20:14.211Z)

Download STIX

Preview STIX

BadBazaar is a malicious software, or malware, employed by EvilBamboo, a threat actor group. This malware is part of three Android spyware families developed by the group, including BADBAZAAR, BADSIGNAL, and BADSOLAR. These are custom-built to target adversaries of the Chinese Communist Party (CCP). The malware has been found hidden inside legitimate-looking applications like Signal and Telegram, making it particularly insidious. It has the capability to store SMS on the device, gather call logs, take photos, and collect information about the device such as IMEI, timezone, Wi-Fi details, installed apps, contact lists, and the device's location. BadBazaar first came into prominence in November 2022 when APT15 targeted the Uyghur community in China mainland and abroad, including Turkey and Afghanistan. The malware was disguised as Android mobile applications and distributed through the MOONSHINE app-based Android surveillance tooling. In addition to this, BadBazaar was also distributed through a site named allwhatsapp[.]net, which hosted variations of the malware. The same site appeared as the name of a likely malicious iOS app associated with BADSOLAR, and a Google account used to distribute the BADBAZAAR variant targeting Taiwanese individuals. The distribution of BadBazaar became more widespread in January 2023 when EvilBamboo started targeting Taiwanese users by distributing the Android spyware through threads on a Taiwanese APK sharing forum, apk[.]tw, which garnered over 100,000 views. Further analysis revealed that these applications were distributed among users with supporting Telegram groups. The advisory written by Volexity researchers shows that EvilBamboo primarily targets Taiwanese, Uyghurs, and Tibetan users through the distribution of these malware families.

Description last updated: 2024-08-14T08:56:57.396Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Flygram	3	FlyGram is a malicious software (malware) that first appeared on Google Play in July 2020 and was removed in January 2021. It was designed to exploit and damage users' devices by stealing sensitive data, including basic device information, contact lists, call logs, and Google Account data. The malwa
Signal Plus Messenger	2	Signal Plus Messenger and FlyGram are malware variants of a sophisticated espionage tool named BadBazaar, believed to be orchestrated by a China-linked threat actor known as Gref. These malicious applications were distributed through the Google Play store, Samsung Galaxy Store, and specific websites

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Signal

Android

Spyware

Espionage

Malware

Eset

Volexity

Tool

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
NICKEL	Unspecified	2	Nickel is a notable threat actor in the cybersecurity landscape, associated with several nation-state affiliated groups such as FIN6, APT15, BackdoorDiplomacy, Vixen Panda, and Emissary Panda. This group has been actively targeting critical Active Directory assets, notably the NTDS.dit file, the KRB
GREF	Unspecified	2	GREF, a China-aligned Advanced Persistent Threat (APT) group, has been identified as the orchestrator of two active Android malware campaigns. The campaigns have been distributing a malicious software called BadBazaar via two applications, Signal Plus Messenger and FlyGram, through the Google Play s
APT15	Unspecified	2	APT15, also known as Vixen Panda, Nickel, Flea, KE3CHANG, Royal APT, and Playful Dragon, is a threat actor group suspected to be of Chinese origin. The group targets global sectors including trade, economic and financial, energy, and military, aligning with the interests of the Chinese government. I
Vixen Panda	Unspecified	2	Vixen Panda, also known as APT15, Flea, KE3CHANG, Nickel, Playful Dragon, Royal APT, and BackdoorDiplomacy, among other names, is a significant threat actor believed to be sponsored by the Chinese government. The group has been operational since at least 2004, targeting government entities, diplomat

Source Document References

Information about the Badbazaar Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	a month ago	Sophisticated Android Spyware Targets Users in Russia
ESET	8 months ago	Attack of the copycats: How impostor apps and fake app mods could bite you
CERT-EU	a year ago	EvilBamboo Attacking Android & iOS Devices With Custom Malware
InfoSecurity-magazine	a year ago	China-Linked EvilBamboo Targets Mobiles
CERT-EU	a year ago	From Watering Hole to Spyware: EvilBamboo Targets Tibetans, Uyghurs, and Taiwanese
CERT-EU	a year ago	EvilBamboo Targets Mobile Devices in Multi-year Campaign
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU	a year ago	'Evil Telegram' Android apps on Google Play infected 60K with spyware
CERT-EU	a year ago	Millions Infected by Spyware Hidden in Fake Telegram Apps on Google Play
Securityaffairs	a year ago	Chinese GREF APT distributes spyware via trojanized Signal and Telegram apps on Google Play and Samsung Galaxy stores
CERT-EU	a year ago	Chinese Hacker Group 'Flea' Targets American Ministries with Graphican Backdoor
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Uyghur populations
CERT-EU	a year ago	Delete these 2-fake messaging apps tied to China-aligned hacking group before your personal information is stolen \| Technology \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	Les dernières cyberattaques (5 septembre 2023) • Cybersécurité
CERT-EU	a year ago	New China-linked "BadBazaar" targets Android users via fake Signal, Telegram apps
Securityaffairs	a year ago	Security Affairs newsletter Round 435 by Pierluigi Paganini
CERT-EU	a year ago	BadBazaar Malware Attacking Android Users via Weaponized Telegram & Signal Apps \| IT Security News
CERT-EU	a year ago	Cyber Security Week in Review: September 1, 2023
CERT-EU	a year ago	BadBazaar Malware Attacking Android Users via Weaponized Telegram & Signal Apps
CERT-EU	a year ago	Fake Signal and Telegram apps – Week in security with Tony Anscombe