BADBAZAAR

BadBazaar is a mobile spyware/surveillanceware family with Android and iOS variants. Public reporting in the provided content ties it with high confidence to China-aligned activity, including attribution to APT15 (also known as VIXEN PANDA/NICKEL), and other reporting links BadBazaar operations to GREF and Volexity’s EvilBamboo tracking. It has been used primarily against Uyghur, Tibetan, and Taiwanese individuals and communities, as well as related civil society organizations; reporting also notes targeting of people connected to democracy activism, Falun Gong, and other groups viewed by the Chinese state as sensitive.

BadBazaar is commonly delivered through trojanized or legitimate-looking mobile applications, especially Android apps masquerading as messaging apps, prayer apps, utilities, PDF readers, radio apps, dictionaries, battery managers, video players, third-party app stores, and regionally themed apps. Named lures and apps in the content include Signal Plus Messenger, FlyGram, TibetOne, Muslim Pro-themed lures, Radio Afghanistan-themed lures, WhatsApp/Signal/Telegram impersonators, and Whoscall-themed samples. Distribution channels mentioned include dedicated websites such as signalplus[.]org and flygram[.]org, Telegram channels and groups including tibetanphone, Reddit/forum promotion, YouTube promotional videos, Google Play, Samsung Galaxy Store, and in one case Apple’s App Store via the TibetOne iOS app.

Capabilities described in the content include theft of device and operator information, contacts, call logs, installed apps, Wi-Fi information, Google account emails, chats or messaging-related data, location data, photos, files, and in some variants real-time SMS theft/forwarding, photo capture, microphone/camera access, and tracking in real time. Government advisories cited in the content state that BadBazaar can covertly access microphones, cameras, messages, photos, chats, and location data. ESET reported that the Signal Plus Messenger variant abused Signal’s linked-device feature to silently link a victim’s Signal account to an attacker-controlled device and steal the Signal PIN, enabling surveillance of Signal communications. FlyGram also included a malicious Cloud Sync feature that uploaded Telegram backups and metadata to attacker-controlled infrastructure.

The iOS variant, publicly analyzed by Lookout in January 2024, masqueraded as TibetOne and exfiltrated device name, device type, local IP, OS version, UDID, and location. It sent data to tryhrwserf[.]com:4432/api/iosvalues and location-related data to tryhrwserf[.]com:4432/api/ioslogin, used SSL pinning with embedded certificate WIN-I6VBN8MR92A.cer (SHA1: 55191348eb763dc853a719c0f3defdbe354127db), and abused location permissions by presenting weather information via the OpenWeatherMap API key 64ffc9b16a9884436fa2ef3bf5248075. Reporting also notes Android/iOS C2 similarities, including Windows-hosted ASP.NET infrastructure and common API ports 4432 or 4332, with some servers exposing unsecured API help pages or iOS-related endpoints such as api/IosUploadFile.

Infrastructure and indicators explicitly mentioned in the content include signalplus[.]org:4332, flygram[.]org:4432, tryhrwserf[.]com, tibetone[.]org, xle.clublogs[.]com, clublogs[.]com, actuallys[.]com, rewrwer[.]com, voiceoftibet[.]net, myloughborough[.]com, pmstwocqn[.]com, collinformations[.]com, androidupdated[.]net, mail.pmumail[.]com, and IPs including 148[.]251[.]87[.]197, 95.179.210[.]85, and 65.21.92[.]67. Additional artifacts noted include package names org.thoughtcrime.securesmsplus and org.telegram.FlyGram, and SSL/common-name artifacts such as WMSvc-WIN-50QO3EIRQVP, WIN-50QO3EIRQVP, WIN-EU0VLBL7TUJ, and WIN-70E59JVOB9G.

The content consistently characterizes BadBazaar as part of long-running mobile surveillance operations using culturally tailored social engineering against targeted ethnic and political communities, with collection of data that would support monitoring, intimidation, and harassment.