Fake Telegram Apps Spread via 607 Domains in New Android Malware Attack
A new threat campaign is tricking Android users into downloading fake Telegram apps from hundreds of malicious domains, according to new research from BforeAI’s PreCrime Labs. The operation, active in recent weeks, uses lookalike websites, QR code redirections, and a modified APK laced with dangerous permissions and remote execution features.
The threat intelligence team identified 607 domains linked to the campaign. All pose as official Telegram download pages, most registered through the Gname registrar and hosted in China. Some sites use domain names like teleqram, telegramapp, and telegramdl to mimic the brand, targeting users who may not notice slight spelling changes.
According to BforeAI’s blog post shared with Hackread.com ahead of publishing on Tuesday, victims are prompted to download what appears to be the Telegram Messenger app via links or QR codes.
Researchers also observed two versions of the APK, with 60MB and 70MB in size. Once installed, the app behaves like the real thing on the surface but quietly grants broad permissions and enables remote command execution.
What’s noticeable is that the phishing sites used in this campaign look like personal blogs or unofficial fan pages. A typical example redirects users to zifeiji(.)asia, a site styled with Telegram’s favicon, download buttons, and colors. Page titles are loaded with SEO phrases in Chinese like “Paper Plane Official Website Download” in what appears to be an attempt to improve visibility in search results while distracting users from the app’s real intent.
The malicious APK is signed with an older v1 signature scheme, making it vulnerable to the Janus vulnerability, which affects Android versions 5.0 through 8.0. Janus allows threat actors to insert harmful code into a legitimate APK without changing its signature. In this case, the malware retains a valid signature, helping it bypass standard detection methods.
Once on a device, the app leverages cleartext protocols (HTTP, FTP) and accesses external storage broadly. It also includes code that interacts with MediaPlayer and uses sockets to receive and act on remote commands. This level of control could be used to monitor activity, steal files, or launch further attacks.
For your information, the Janus vulnerability (CVE-2017-13156) is a serious security flaw in Android devices that allowed attackers to modify legitimate APK or DEX files without changing their cryptographic signature, making malicious apps appear trusted and unaltered.
One key finding relates to a now-deactivated Firebase database at tmessages2(.)firebaseio(.)com, previously used by the attackers. While the original database has gone offline, researchers warn that it could easily be reactivated by any attacker who registers a new Firebase project under the same name.
Older versions of the malware hardcoded to that endpoint would then connect to the new attacker-controlled database automatically. This tactic extends the campaign’s viability, even if the original operators move on.
The malicious infrastructure also uses tracking JavaScript, such as ajs.js hosted on telegramt(.)net. The script collects device and browser details, sends the data to a remote server, and contains commented-out code to display a floating download banner targeting Android users. This setup is designed to increase installation rates by automatically detecting devices and tailoring the user experience.
Out of the 607 domains, the top-level domain usage was as follows:
.com: 316.top: 87.xyz: 59.online: 31.site: 24
The high number of .com registrations suggest a deliberate effort to add credibility, while the use of low-cost domains supports wide distribution.
To reduce the risk of exposure, BforeAI suggests that organisations take a few key precautions. First, set up automated domain monitoring to catch suspicious or lookalike site registrations before they become active. It’s also important to scan APK files, URLs, and related hash values using multiple threat intelligence sources to confirm whether they’re safe.
Where possible, block the delivery of APK or SVG attachments, especially if those file types aren’t needed for business use. Lastly, make sure users are trained to avoid downloading apps from unofficial sites, even if the page looks legitimate or mimics a well-known brand.
Phishing techniques have become sophisticated, and this campaign shows how old exploits like Janus can still be used against unsuspecting users. The use of QR codes, typosquatting, and repurposed cloud services adds a level of sophistication that makes simple filtering no longer enough.
HackRead
