A sophisticated Android malware campaign has been uncovered by PreCrime™ Labs, the threat research division at BforeAI, involving at least 607 malicious domains registered through Gname.
These domains, predominantly Chinese-language and utilizing a variety of typosquatted names such as “teleqram” and “telegramapp,” are engaged in distributing fake Telegram Messenger APKs to unwitting users, leveraging deceptive branding and aggressive search engine optimization (SEO) tactics.
Deceptive Distribution
Victims are lured into downloading either a 60MB or 70MB Android APK masquerading as Telegram, often through QR codes embedded on the phishing domains.
Scanning these codes directs visitors to zifeiji[.]asia, a centralized distribution hub that replicates Telegram’s branding assets, including the favicon, download options, and design motifs, to foster user trust.
The site titles, rendered entirely in Chinese, further obfuscate their intent by repetitively referencing the so-called “Paper Plane Official Website” a tactic aimed at both boosting SEO rankings and distracting from the illicit nature of the operation.
The campaign employs a blog-like webpage layout to appear legitimate and trustworthy. Analysis of the distributed APKs reveals they are signed using only the v1 signature scheme, thus exposing devices running Android 5.0 to 8.0 to the infamous Janus vulnerability.
By exploiting this outdated signing method, attackers can repackage legitimate APKs with malicious payloads, retaining the original signature and bypassing conventional security checks on vulnerable devices.
Disassembled samples show the rogue APKs requesting broad permissions for external storage access (such as READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE), enabling invasive data theft.
The apps utilize outdated cleartext protocols (HTTP/FTP/DownloadManager), which compromise secure data transmission and expose users to further interception risks.
Embedded within the application logic, MediaPlayer functions and socket-based callbacks facilitate the remote execution of arbitrary commands allowing attackers to establish a persistent control channel for real-time surveillance, exfiltration of files, and further exploitation.
Further analysis links parts of the infrastructure to the JavaScript file hosted at telegramt.net/static/js/ajs.js?v=3.
This script fingerprints visitor platforms (Android, iOS, PC), collects browsing data, and forwards the captured information to dszb77[.]com.
While the script currently only logs analytics, commented-out code sections indicate intentions to aggressively target Android users with persistent in-app download prompts.
Abuse Potential via Firebase
The campaign has also revealed critical risks tied to Firebase misconfigurations. The APKs attempt connections to the now-inactive Firebase instance “tmessages2.firebaseio.com.”
Security researchers warn that adversaries can essentially hijack abandoned Firebase endpoints: by registering a new Firebase project under the same name, all previously distributed apps attempting to reach “tmessages2[.]firebaseio[.]com” would seamlessly connect to the attackers’ infrastructure, maintaining the campaign’s viability even after the original operators cease activity.
PreCrime Labs strongly advises enterprises and end-users to avoid downloading APKs from unofficial sources, especially third-party blogs or mirrored websites offering “official” messaging apps.
Automated threat monitoring, swift takedown procedures, and the use of diverse threat intelligence solutions to identify malicious indicators such as APK hashes, domains, and URLs remain critical countermeasures.
The bulk of these malicious domains utilize .com, .top, .xyz, .online, and .site TLDs, accelerating their proliferation across search engine and social media results.
With remote command execution capabilities and data exfiltration at the core of these malicious APKs, the campaign represents a substantial supply chain threat to both businesses and individuals relying on Android devices.
Indicators of Compromise (IOC)
| Type | Value | Notes |
|---|---|---|
| Domain(s) | [Full list available online] | 607 domains (main site: zifeiji[.]asia) |
| TLDs observed | .com, .top, .xyz, .online, .site | |
| Hash: MD5 | acff2bf000f2a53f7f02def2f105c196 | Malicious Telegram APK variant 1 |
| Hash: MD5 | efddc2dddc849517a06b89095b344647 | Malicious Telegram APK variant 2 |
| Hash: SHA-1 | 9650ae4f4cb81602700bafe81d96e8951aeb6aa5 | Malicious Telegram APK variant 1 |
| Hash: SHA-1 | 6f643666728ee9bc1c48b497f84f5c4d252fe1bc | Malicious Telegram APK variant 2 |
| Malicious JS | https://telegramt.net/static/js/ajs.js?v=3 | Device tracking and targeting |
| C2/Analytics Domain | dszb77[.]com | Receives device/browser data |
| Typosquat Patterns | teleqram, telegramapp, telegramdl, apktelegram, etc. | |
| Firebase Endpoint | tmessages2[.]firebaseio[.]com | Abandoned, at high risk of hijacking |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
