A recent study by BforeAI’s PreCrime Labs has revealed a widespread malware campaign deceiving Android users into downloading counterfeit Telegram applications from hundreds of malicious domains. This operation, which has been active in recent weeks, employs various tactics, including lookalike websites and QR code redirection, to lure unsuspecting victims into installing compromised software.
Researchers have identified 607 domains associated with this scheme, which masquerade as legitimate Telegram download portals. The majority of these domains have been registered through Gname registrar and are hosted in China. Many of them use similar-sounding names, such as teleqram and telegramapp, potentially tricking users who might not notice the slight spelling variations.
Victims are led to believe they are obtaining the legitimate Telegram Messenger app, but upon installation, the software behaves normally while secretly granting extensive permissions and enabling remote command execution. The APK, available in two sizes of 60MB and 70MB, has been observed to use compromised security protocols to gain control over the device.
Furthermore, the malicious APK takes advantage of the Janus vulnerability, an exploit that permits threat actors to embed malicious code within legitimate applications without altering their signatures. This allows the malware to evade detection while maintaining its deceptive appearance.
In an alarming twist, researchers have noted that a now-deactivated Firebase database previously employed by the attackers could be easily reactivated, extending the life cycle of this campaign. As such, it is recommended that organizations adopt monitoring protocols to detect suspicious domain registrations and educate users about the dangers of downloading applications from unofficial sources. The ongoing evolution in phishing tactics underscores the need for heightened vigilance among Android users.