Hackers aligned with Chinese interests are targeting Android users with fake encrypted chat apps Trojanized with espionage capabilities in separate and ongoing campaigns, one active since July 2020 and the other for more than 12 months.

Researchers at Eset on Wednesday attributed the campaigns to a threat group tracked as Gref, which overlaps with activity also ascribed to groups including APT15, Vixen Panda and Ke3Chang.

Chinese hackers impersonated the Signal and Telegram apps on Google Play and Samsung Galaxy Store through apps representing themselves as “Signal Plus Messenger” and “FlyGram.” The apps contained “BadBazaar” spyware – malicious code previously used to target Uyghurs and other Turkic ethnic minorities in China.