BADBAZAAR

BadBazaar is a mobile surveillanceware family with Android and iOS variants. Public reporting in the provided content ties it to China-aligned activity, including attribution to APT15 and reporting linking active Android campaigns to GREF; Volexity tracks related activity under the actor name EvilBamboo. It has been used primarily against Uyghur, Tibetan, and Taiwanese individuals and related civil society organizations, with broader references to targets connected to democracy activism, Falun Gong, and other communities viewed as sensitive by the Chinese state.

BadBazaar is commonly delivered through trojanized or legitimate-looking mobile applications, including fake or modified messaging apps and community-themed apps. Reported lures and app themes include Signal Plus Messenger, FlyGram, WhatsApp- and Telegram-themed apps, prayer and religious apps, dictionaries, radio apps, utilities, PDF readers, and the iOS app TibetOne. Distribution channels mentioned in the content include dedicated websites such as signalplus[.]org and flygram[.]org, Telegram channels and groups such as tibetanphone, Reddit/forum promotion, Google Play, Samsung Galaxy Store, and in one case Apple’s App Store.

On Android, reported capabilities include collection of device and operator information, contacts, call logs, SMS messages including real-time forwarding, installed apps, files, photos, Wi-Fi information, Google account emails, location data, and in some variants retrieval of Telegram-related files. Volexity reported BADBAZAAR second-stage functionality for file listing and retrieval, photo capture, contact theft, call-log theft, SMS theft, device information collection, and location collection. ESET reported that Signal Plus Messenger abused Signal’s linked-device feature to silently link a victim’s Signal account to an attacker-controlled device and steal the Signal PIN, enabling surveillance of Signal communications. FlyGram also included a malicious Cloud Sync feature that uploaded Telegram backups and metadata to attacker-controlled infrastructure.

On iOS, the content states the BadBazaar variant had more limited functionality than Android but still exfiltrated device name, device type, local IP, OS version, UDID, and location. The iOS TibetOne sample sent data to tryhrwserf[.]com:4432, including /api/iosvalues and /api/ioslogin, used SSL pinning with embedded certificate WIN-I6VBN8MR92A.cer (SHA1 55191348eb763dc853a719c0f3defdbe354127db), and abused location permissions by presenting weather information via the OpenWeatherMap API. Reporting also noted iOS-related endpoints such as api/IosUploadFile on related infrastructure, suggesting possible file-exfiltration development.

Infrastructure and IoCs directly mentioned in the content include signalplus[.]org:4332, flygram[.]org:4432, tryhrwserf[.]com:4432, tibetone[.]org, xle.clublogs[.]com, clublogs[.]com, actuallys[.]com, rewrwer[.]com, www.voiceoftibet[.]net, myloughborough[.]com, pmstwocqn[.]com, collinformations[.]com, and androidupdated[.]net. Reported infrastructure characteristics include Windows-hosted ASP.NET C2 servers, common API ports 4432 or 4332, RDP on 56931, and reused certificate/machine names such as WIN-50QO3EIRQVP, WMSvc-WIN-50QO3EIRQVP, WIN-EU0VLBL7TUJ, and WIN-70E59JVOB9G. The content also notes WHOIS artifacts and registration overlaps involving keyboard-walk values and emails such as tplutalova@list.ru, ivan_s81@mail.ru, and ocean.nio@rediffmail.com.

The content further notes that BadBazaar has been described in some reporting as a banking trojan, and more recent telemetry cited it among spyware families driving increased Android spyware activity. Overall, the high-confidence characterization in the provided material is that BadBazaar is a long-running mobile spyware/surveillanceware family used in targeted espionage and monitoring campaigns against politically sensitive communities.