A Spy Story Unveiled as the Chinese Spies Target Android Users with Sneaky Fake Apps

Android users, hold on to your phones because a story of intrigue and espionage is being played out right in front of you. Ingenious phony versions of the well-known messaging applications Signal and Telegram were used in two recent Chinese spy missions, according to ESET, the security researchers with their finger on the pulse of digital espionage. James Bond-like, yet with a modern digital touch.

The saga begins with a shadowy threat group known as GREF, which hails from the depths of the Chinese cyber underworld. These masterminds concocted cunning replicas of Signal and Telegram, cloaking them with the innocent veneer of the real thing. They then cunningly slipped these imposters into the Google Play and Samsung Galaxy Stores, ready to pounce on unsuspecting Android users.

Over two acts, the Chinese hackers crafted their symphony of deception. "Signal Plus Messenger" makes a significant entry in the first act, imitating the well-known Signal app. Act 2 featured "FlyGram," a Telegram knockoff that both promised an app experience while dancing indiscreetly to a frightening beat.


Like any good suspenseful story, the plot thickens. These malicious apps were unleashed into the wilds of the internet between July 2020 and July 2022. Thousands of users took the bait, downloading the imposters, unwittingly inviting digital spies into their lives.

With hotspots lighting up the map in the US, different EU countries, Ukraine, and even as far away as Australia, Brazil, Singapore, the Democratic Republic of the Congo, and Yemen, ESET's radar discovered these fakes all over the world. Yes, spies still have their passports ready in the digital age.

Enter the hero of our story: Lukáš Štefanko, a researcher at ESET who unraveled the devious plot. He discovered that these Trojan horses, Signal Plus Messenger and FlyGram, carried a hidden payload, the BadBazaar. This villainous code aimed to collect device information, contact lists, call logs, and lists of installed apps. But that wasn't all; like a cunning thief stealing your secrets, it even attempted to listen in on Signal messages.

Stefanko noted that the "main goal of BadBazaar is to exfiltrate device information, the contact list, call logs, and the list of installed apps, as well as to conduct Signal message espionage by covertly connecting the victim's Signal Plus Messenger app to the attacker's device." I'm not sure what more to say if that doesn't sound like a scenario straight out of a cyberspy movie.

But wait, there's a twist! Unlike a classic spy movie, one of the nefarious twins, FlyGram, didn't manage to breach the encrypted walls of the real Telegram app. It couldn't intercept your deepest, darkest secrets. However, it did have a party with your Telegram backups if you had enabled them. Around 14,000 Telegram users unknowingly allowed this digital sneak to access their backups, turning their conversations into an open book.

The perpetrators of this cyber-espionage symphony, GREF, were found to have a history of focusing on Uyghurs and other Turkic ethnic minorities, which was a critical finding. They appear to have a penchant for prejudice against people who don't fit the mold. The links between their earlier malware attacks and these phony apps are obvious as day, pointing to the same enigmatic individuals.

In its heroic role as guardian, Google has subsequently removed these fake apps from the Play Store, but other websites may still be hiding these spying tools in the digital shadows. We're playing the digital equivalent of a game of cat and mouse with foreign spies rather than fluffy animals.

As the dust settles on this cyber drama, one can't help but marvel at the intricate web these hackers spun. It's a reminder that the world of espionage has evolved – it's not just Bond anymore; it's code and clicks, intrigue in pixels. So, dear Android users, guard your devices, beware of imposter apps, and remember, in the digital realm, not everything is as it seems.

Read next: Innovative Android Malware Exploits Unconventional Data Theft Approach
Previous Post Next Post