Fake Telegram Apps Laced with Malware Target Android Users Through Phishing Domains

607 Fake Telegram Domains Deliver Android Malware in Widespread Campaign

A Sophisticated Android Malware Operation

Researchers at BforeAI’s PreCrime Labs have uncovered a large-scale Android malware campaign involving 607 malicious domains designed to impersonate Telegram download pages. These sites are pushing fake Telegram APKs loaded with malware and abusing tactics like typosquatting, QR redirection, and SEO-optimized blog layouts.

The campaign is active as of July 2025 and aims to infect unsuspecting Android users with malware that mimics Telegram while silently granting the attacker broad system access.

Fake App, Real Threat

Victims are tricked into downloading a counterfeit version of Telegram via phishing emails, QR codes, or seemingly innocent blog-style websites. The fake APK files—sized 60MB and 70MB—look and behave like the real app, but in the background:

• Request excessive permissions
• Enable remote command execution
• Leak sensitive data via unencrypted protocols (HTTP, FTP)

The phishing websites closely resemble Telegram branding with download buttons, icons, and titles like “Paper Plane Official Website Download” to lure users via search engines.

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Malware Signed With Janus Vulnerability

The APKs are signed using the v1 Android signature scheme, making them vulnerable to the Janus vulnerability (CVE-2017-13156). This critical flaw allows malicious code to be injected into otherwise legitimate APKs without altering the signature, effectively bypassing signature-based security checks.

Once installed, the malware can:

• Execute commands from a remote server
• Abuse the MediaPlayer API for possible surveillance
• Create persistent socket connections for live attacker control

This allows for file theft, activity monitoring, or launching secondary payloads.

Firebase Abuse and Infrastructure Insights

An older version of the malware connects to a Firebase endpoint at tmessages2[.]firebaseio[.]com, which has since been deactivated. However, researchers warn that this tactic could be recycled easily—anyone re-registering a Firebase project with the same name could reactivate infected clients silently.

Another technical component is a malicious tracking script (ajs.js) hosted on telegramt[.]net, which:

• Collects device/browser fingerprint data
• Sends it to attacker-controlled servers
• Contains unused code to display Android-targeted download banners

The page distributing the malicious Telegram APK mimics a blog layout and prompts users to install the app, which requests a set of permissions categorised by severity due to their potential misuse. (Image via BforeAI)

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: hackread.com

Source Link