Malicious Telegram APK Campaign Advisory

Over the past month, the team at PreCrime™ Labs, the threat research division at BforeAI, has identified a large malicious campaign of 607 domains actively distributing application files (“APKs”), claiming to be Telegram Messenger. These domains, linked to a large-scale phishing and malware campaign, were registered through the Gname registrar, and are primarily hosted in the Chinese language.

The entire list of domains can be accessed here.

There were two instances in which applications were prompted for download, each being 60MB and 70MB in size, respectively. The hash values gathered from this APK are:

Figure 1: Telegram APK download site featured in Chinese language

Overview of Malicious Telegram APK Campaign Advisory

The malicious domains host a QR code, which delivers an application disguised as Telegram. The QR value redirects the victims to zifeiji[.]asia, which has the official Telegram-based attributes, such as favicon, downloadable APK, and theme. This indicates that all the websites impersonating Telegram are then redirected to the main website, where the APK gets downloaded with one click.

Interestingly, the page titles of these domains, written in Chinese language, have an unique attribute which says, “Paper Plane Official Website Entrance – Paper Plane Official Website – Paper Plane Official Website Download | Paper Plane Official Website Entrance | Paper Plane Official Website Chinese Version | Paper Plane Official Website Login” but has Telegram’s phished instance. This appears to be both a credibility tactic and a distraction, intended to mimic typical search engine optimization (SEO) methods that might be used to promote Telegram.

The APK was signed with a v1 signature scheme, making it vulnerable to the Janus vulnerability on Android 5.0 – 8.0. This vulnerability allows attackers to craft deceptive applications, like fake banking or social media apps, that are designed to be undetectable by current security measures, despite modern restrictions on modified app installations. After crafting the malicious application, it is then repackaged using its original v1 signature. This modification goes undetected, allowing the compromised app to be installed without causing suspicion. In essence, it enables attackers to make an app more dangerous, redistribute it as an APK, and trick users (especially on older devices) into installing it while completely bypassing security checks.

The strings in the applications used cleartext traffic protocols (HTTP/FTP/DownloadManager), bypassing secure transmission, with broad external storage permissions (typically READ_EXTERNAL_STORAGE or WRITE_EXTERNAL_STORAGE, exposing user data to the malicious apps). The APK invokes MediaPlayer and executes remote commands via socket-based callbacks. This allows the Telegram app to receive and execute remote commands in real time. This, in turn, can benefit attackers as it enables data theft, surveillance, and control over the device and command execution.

Frequently occurring Top-Level-Domains:

• .com: 316
• .top: 87
• .xyz: 59
• .online: 31
• .site: 24

The domains used the typosquat versions such as “teleqram”, “telegramapp”, “telegramdl”, “apktelegram”, etc.

It is worth noting that the JavaScript file hosted at https://telegramt.net/static/js/ajs.js?v=3 appears to be part of a tracking and app promotion script. It likely detects the user’s device type (Android, iOS, or PC), collects browser and domain information, and sends this data to an external server (dszb77[.]com) for analytics or user behavior tracking. This website, found to be hidden under the JS file, is a part of a cybercriminal infrastructure and shows no active data. It also contains code (currently commented out) to display a floating “Download App” banner, specifically targeting Android users.

Critical Observations about Firebase

Firebase is a Backend-as-a-Service (BaaS) platform that hosts integral metadata about an application, such as databases, file storage, and user authentication. The Firebase database at “https://tmessages2.firebaseio.com” is deactivated, indicating this instance has been deleted, disabled, or abandoned by the developer.

Any cybercriminal can activate an instance on Firebase by registering a new Firebase project with the same name (tmessages2). All the older apps coded to connect to “tmessages2[.]firebaseio[.]com” would then connect to the adversary’s new database. This indicates that the campaign will remain viable even if previous adversaries aren’t operating on it anymore.

• Deploy a continuous, automated threat monitoring solution capable of broadly identifying malicious domains and infrastructure.
• Leverage multiple threat intelligence platforms to confirm whether APKs, URLs, and hashes have been identified as malicious.
• Prohibit employees from downloading applications from unverified sources, such as third-party blog sites, even if they purport to offer legitimate content or news.
• Facilitate preemptive takedowns or blacklisting of malicious domains before they become active, often taking them down in their nascent stages.