Flygram

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

FlyGram is a malicious software (malware) that first appeared on Google Play in July 2020 and was removed in January 2021. It was designed to exploit and damage users' devices by stealing sensitive data, including basic device information, contact lists, call logs, and Google Account data. The malware was hidden in a trojanized version of the legitimate app Telegram, named FlyGram. A promotional YouTube video for the backdoored FlyGram app was also discovered. At least 13,953 individuals who downloaded FlyGram activated it, according to telemetry related to a specific backup feature. The distribution of this malware was part of a sophisticated espionage campaign believed to be orchestrated by a China-linked threat actor known as Gref. This campaign has been ongoing since July 2023 and involves another malware called BadBazaar, which targets Android users via fake versions of popular communication apps Signal and Telegram. These malicious apps, named Signal Plus Messenger and FlyGram, were used as vehicles for this operation. Signal Plus Messenger was published in app stores in July 2022 and was not removed from Google Play until May 2023. Interestingly, due to a misconfiguration of the C2 server, it was possible to enumerate the API endpoints used by the FlyGram variant. This revealed that the threat actor had configured API endpoints for an iOS version of the app. ESET researchers have revealed the malware’s capabilities in a technical write-up, including FlyGram's extensive data harvesting features and limited access to specific Telegram-related data. These findings highlight the evolving nature and growing sophistication of malware threats targeting mobile devices.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Badbazaar	3	BadBazaar is a malicious software (malware) developed by EvilBamboo, a hacker group that primarily targets the Uyghur community in China and abroad, including Turkey and Afghanistan. This malware, along with two others named BADSIGNAL and BADSOLAR, is designed to exploit Android devices through dece
Signal Plus Messenger	3	Signal Plus Messenger and FlyGram are malware variants of a sophisticated espionage tool named BadBazaar, believed to be orchestrated by a China-linked threat actor known as Gref. These malicious applications were distributed through the Google Play store, Samsung Galaxy Store, and specific websites

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Eset

Signal

Android

Malware

Google

Spyware

Chinese

Espionage

Proxy

Sandbox

Youtube

Ios

Payload

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
GREF	has used	2	GREF, a China-aligned Advanced Persistent Threat (APT) group, has been identified as the orchestrator of two active Android malware campaigns. The campaigns have been distributing a malicious software called BadBazaar via two applications, Signal Plus Messenger and FlyGram, through the Google Play s
APT15	has used	1	APT15, also known as Vixen Panda, Nickel, Flea, KE3CHANG, Royal APT, and Playful Dragon, is a threat actor group suspected to be of Chinese origin. The group targets global sectors including trade, economic and financial, energy, and military, aligning with the interests of the Chinese government. I

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Flygram Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	a year ago	BadBazaar Malware Attacking Android Users via Weaponized Telegram & Signal Apps \| IT Security News
CERT-EU	a year ago	Chinese Gref APT targets Android users via fake Signal and Telegram apps
CERT-EU	a year ago	Threat of Fake Signal and Telegram Apps: Protecting Your Privacy and Security \| IT Security News
CERT-EU	a year ago	Cyber Security Week in Review: September 1, 2023
CERT-EU	a year ago	Fake Signal and Telegram apps – Week in security with Tony Anscombe
InfoSecurity-magazine	a year ago	Chinese APT Group GREF Use BadBazaar in Android Espionage
CERT-EU	a year ago	'Evil Telegram' Android apps on Google Play infected 60K with spyware
BankInfoSecurity	a year ago	Chinese APT Uses Fake Messenger Apps to Spy on Android Users
Securityaffairs	a year ago	Chinese GREF APT distributes spyware via trojanized Signal and Telegram apps on Google Play and Samsung Galaxy stores
CERT-EU	10 months ago	EvilBamboo Targets Mobile Devices in Multi-year Campaign
CERT-EU	a year ago	BadBazaar: Chinese Spyware Shams Signal, Telegram Apps
CERT-EU	a year ago	Delete these 2-fake messaging apps tied to China-aligned hacking group before your personal information is stolen \| Technology \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	Trojanized Android messaging apps used for BadBazaar spyware distribution
DARKReading	a year ago	'Evil Telegram' Spyware Campaign Infects 60K+ Mobile Users
CERT-EU	a year ago	Spyware versions of Telegram and Signal on Google Play
CERT-EU	a year ago	New China-linked "BadBazaar" targets Android users via fake Signal, Telegram apps
CERT-EU	a year ago	BadBazaar Malware Attacking Android Users via Weaponized Telegram & Signal Apps
DARKReading	a year ago	Chinese Group Spreads Android Spyware Via Trojan Signal, Telegram Apps
CERT-EU	a year ago	BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps
CERT-EU	a year ago	Trojanized Signal and Telegram apps on Google Play delivered spyware