Flygram

Malware updated 23 days ago (2024-11-29T14:04:11.880Z)
Download STIX
Preview STIX
FlyGram is a malicious software (malware) that first appeared on Google Play in July 2020 and was removed in January 2021. It was designed to exploit and damage users' devices by stealing sensitive data, including basic device information, contact lists, call logs, and Google Account data. The malware was hidden in a trojanized version of the legitimate app Telegram, named FlyGram. A promotional YouTube video for the backdoored FlyGram app was also discovered. At least 13,953 individuals who downloaded FlyGram activated it, according to telemetry related to a specific backup feature. The distribution of this malware was part of a sophisticated espionage campaign believed to be orchestrated by a China-linked threat actor known as Gref. This campaign has been ongoing since July 2023 and involves another malware called BadBazaar, which targets Android users via fake versions of popular communication apps Signal and Telegram. These malicious apps, named Signal Plus Messenger and FlyGram, were used as vehicles for this operation. Signal Plus Messenger was published in app stores in July 2022 and was not removed from Google Play until May 2023. Interestingly, due to a misconfiguration of the C2 server, it was possible to enumerate the API endpoints used by the FlyGram variant. This revealed that the threat actor had configured API endpoints for an iOS version of the app. ESET researchers have revealed the malware’s capabilities in a technical write-up, including FlyGram's extensive data harvesting features and limited access to specific Telegram-related data. These findings highlight the evolving nature and growing sophistication of malware threats targeting mobile devices.
Description last updated: 2024-05-04T16:37:07.456Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Signal Plus Messenger is a possible alias for Flygram. Signal Plus Messenger and FlyGram are malware variants of a sophisticated espionage tool named BadBazaar, believed to be orchestrated by a China-linked threat actor known as Gref. These malicious applications were distributed through the Google Play store, Samsung Galaxy Store, and specific websites
3
Badbazaar is a possible alias for Flygram. BadBazaar is a malicious software, or malware, employed by EvilBamboo, a threat actor group. This malware is part of three Android spyware families developed by the group, including BADBAZAAR, BADSIGNAL, and BADSOLAR. These are custom-built to target adversaries of the Chinese Communist Party (CCP).
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Telegram
Android
Signal
Eset
Spyware
Malware
Google
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The GREF Threat Actor is associated with Flygram. GREF, a China-aligned Advanced Persistent Threat (APT) group, has been identified as the orchestrator of two active Android malware campaigns. The campaigns have been distributing a malicious software called BadBazaar via two applications, Signal Plus Messenger and FlyGram, through the Google Play shas used
2
Source Document References
Information about the Flygram Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago