Signal Plus Messenger

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Signal Plus Messenger and FlyGram are malware variants of a sophisticated espionage tool named BadBazaar, believed to be orchestrated by a China-linked threat actor known as Gref. These malicious applications were distributed through the Google Play store, Samsung Galaxy Store, and specific websites, imitating popular communication apps Signal and Telegram. The campaign has been ongoing since July 2023, targeting Android users. Both Signal Plus Messenger and FlyGram contain code to check if the device operator is Chinese, similar to BadBazaar. While several vendors have tied BadBazaar to APT15, ESET could not conclusively establish this link. The primary objective of these malware variants is user data exfiltration and espionage. BadBazaar steals device information such as contact lists, call logs, and installed applications, and spies on Signal conversations by secretly attaching the victim’s Signal Plus Messenger app to the attacker’s mobile device. FlyGram can extract sensitive data like contact lists, phone logs, and Google Accounts, along with basic device information. Signal Plus Messenger collects similar data but focuses primarily on tracking the victim's Signal communications. Signal Plus Messenger, once available on Google Play and Samsung Galaxy Store, misuses the link device feature to spy on Signal messages. This allows active espionage on exchanged Signal communication. Despite their harmful nature, these malicious apps were uploaded and disseminated under the guise of legitimate applications. It's important to note that these apps pose a significant risk to users, as they can steal personal information, disrupt operations, or even hold data hostage for ransom.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Flygram
3
FlyGram is a malicious software (malware) that first appeared on Google Play in July 2020 and was removed in January 2021. It was designed to exploit and damage users' devices by stealing sensitive data, including basic device information, contact lists, call logs, and Google Account data. The malwa
Badbazaar
2
BadBazaar is a malicious software (malware) developed by EvilBamboo, a hacker group that primarily targets the Uyghur community in China and abroad, including Turkey and Afghanistan. This malware, along with two others named BADSIGNAL and BADSOLAR, is designed to exploit Android devices through dece
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Signal
Telegram
Google
Android
Spyware
Malware
Proxy
Eset
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GREFUnspecified
2
GREF, a China-aligned Advanced Persistent Threat (APT) group, has been identified as the orchestrator of two active Android malware campaigns. The campaigns have been distributing a malicious software called BadBazaar via two applications, Signal Plus Messenger and FlyGram, through the Google Play s
APT15Unspecified
2
APT15, also known as Vixen Panda, Nickel, Flea, KE3CHANG, Royal APT, and Playful Dragon, is a threat actor group suspected to be of Chinese origin. The group targets global sectors including trade, economic and financial, energy, and military, aligning with the interests of the Chinese government. I
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Signal Plus Messenger Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
ESET
6 months ago
Attack of the copycats: How impostor apps and fake app mods could bite you
CERT-EU
a year ago
BadBazaar Malware Attacking Android Users via Weaponized Telegram & Signal Apps
CERT-EU
a year ago
BadBazaar Malware Attacking Android Users via Weaponized Telegram & Signal Apps | IT Security News
CERT-EU
a year ago
Chinese Gref APT targets Android users via fake Signal and Telegram apps
CERT-EU
a year ago
Threat of Fake Signal and Telegram Apps: Protecting Your Privacy and Security | IT Security News
DARKReading
a year ago
Chinese Group Spreads Android Spyware Via Trojan Signal, Telegram Apps
CERT-EU
a year ago
Cyber Security Week in Review: September 1, 2023
CERT-EU
a year ago
Fake Signal and Telegram apps – Week in security with Tony Anscombe
Securityaffairs
a year ago
Chinese GREF APT distributes spyware via trojanized Signal and Telegram apps on Google Play and Samsung Galaxy stores
CERT-EU
a year ago
BadBazaar: Chinese Spyware Shams Signal, Telegram Apps
CERT-EU
a year ago
Delete these 2-fake messaging apps tied to China-aligned hacking group before your personal information is stolen | Technology | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
a year ago
BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps
CERT-EU
a year ago
Trojanized Android messaging apps used for BadBazaar spyware distribution
DARKReading
10 months ago
'Evil Telegram' Spyware Campaign Infects 60K+ Mobile Users
CERT-EU
10 months ago
Spyware versions of Telegram and Signal on Google Play