A widespread malware campaign is using 607 malicious domains, often with typosquatting, to distribute fake Telegram APKs that enable remote command execution on Android devices. This sophisticated operation, identified by Bfore.AI, targets users through deceptive phishing websites and exploits the Janus vulnerability to bypass security measures.
This sophisticated malware campaign employs 607 malicious domains to distribute weaponized Android applications disguised as Telegram Messenger, marking a significant escalation in mobile malware distribution. The attackers utilize typosquatting techniques with variations like “teleqram” and “apktelegram” on domains primarily hosted in Chinese, deceiving users who scan QR codes. These codes redirect victims to a convincing fake Telegram website, zifeiji[.]asia, which then offers downloadable malicious APKs, ensuring centralized control over the distribution process while maintaining an appearance of legitimacy.
The campaign’s infrastructure demonstrates considerable resilience, with the malicious domains leveraging various top-level domains, notably .com, .top, and .xyz, all registered through the Gname registrar. This diverse distribution strategy maximizes the campaign’s ability to resist takedown efforts and maintain continuous operation. Bfore.AI’s PreCrime™ Labs threat research division was instrumental in identifying this extensive operation, revealing its broad reach and the detailed methods employed by the attackers.
Technical analysis of the malicious APK files, ranging from 60MB to 70MB, reveals their sophistication, particularly in exploiting the Janus vulnerability.
This specific exploit targets Android devices running versions 5.0 through 8.0, allowing the malware to bypass modern security restrictions. By utilizing v1 signature schemes, the malicious APK can operate undetected on vulnerable devices, enabling its nefarious activities without triggering security alerts.
The most concerning aspect of this malware is its remote command execution capability, facilitated through socket-based callbacks.
The malicious application establishes persistent connections with command-and-control servers, enabling real-time reception and execution of instructions. This functionality is achieved by invoking MediaPlayer and deliberately bypassing secure transmission standards through the use of cleartext HTTP and FTP protocols.
Furthermore, the malware demands extensive permissions, including READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE, granting attackers comprehensive access to sensitive user data. In addition to data access, a JavaScript tracking script hosted at telegramt.net/static/js/ajs.js?v=3 collects detailed device and browser information. This collected intelligence is then forwarded to dszb77[.]com for analysis, allowing the attackers to track user behavior and refine their targeting strategies, making the campaign highly effective and adaptive.
Reference:
