Hackers Leverage 607 Malicious Domains to Spread APK Malware with Remote Command Execution

PreCrime Labs at BforeAI discovered a complex cyber threat operation in which hackers have used a vast network of 607 rogue domains to spread fake Telegram Messenger application files (APKs) over the course of the last month.

These domains, primarily registered via the Gname registrar and hosting content in Chinese, form part of a large-scale phishing and malware campaign aimed at deceiving users into installing harmful software.

The operation leverages QR codes on these sites that redirect victims to a central domain, zifeiji[.]asia, which mimics official Telegram attributes including favicons, themes, and direct APK downloads.

This centralized redirection ensures efficient delivery of the malware, with APKs sized at approximately 60MB and 70MB, bearing MD5 hashes acff2bf000f2a53f7f02def2f105c196 and efddc2dddc849517a06b89095b344647, and SHA-1 hashes 9650ae4f4cb81602700bafe81d96e8951aeb6aa5 and 6f643666728ee9bc1c48b497f84f5c4d252fe1bc.

The phishing pages adopt a blog-like appearance, featuring Chinese-language titles such as “Paper Plane Official Website Entrance Paper Plane Official Website Paper Plane Official Website Download | Paper Plane Official Website Entrance | Paper Plane Official Website Chinese Version | Paper Plane Official Website Login,” which cleverly emulate SEO tactics to boost visibility and credibility while impersonating Telegram.

Exploitation of Android Vulnerabilities

Technically, the malicious APKs are signed using the outdated v1 signature scheme, rendering them susceptible to the Janus vulnerability on Android versions 5.0 through 8.0.

According to the Report, this flaw allows attackers to repackage legitimate apps with malicious modifications while preserving the original signature, bypassing security checks and enabling undetected installation on vulnerable devices.

The APKs employ cleartext traffic protocols like HTTP, FTP, and DownloadManager, circumventing secure transmission standards and granting broad permissions such as READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE, which expose sensitive user data to exploitation.

Furthermore, the malware integrates MediaPlayer invocations and socket-based callbacks for real-time remote command execution, facilitating data exfiltration, device surveillance, and unauthorized control.

Common top-level domains (TLDs) in this campaign include .com (316 instances), .top (87), .xyz (59), .online (31), and .site (24), often incorporating typosquats like “teleqram,” “telegramapp,” “telegramdl,” and “apktelegram” to lure unsuspecting users.

A notable JavaScript file at https://telegramt.net/static/js/ajs.js?v=3 serves as a tracking mechanism, detecting device types (Android, iOS, or PC), collecting browser and domain data, and relaying it to an external server at dszb77[.]com for analytics, with commented-out code hinting at floating banners promoting app downloads specifically for Android targets.

Firebase Hijacking Risks

A critical observation involves the Firebase database at https://tmessages2.firebaseio.com, which appears deactivated or abandoned, creating an opportunity for adversaries to register a new project under the same name and hijack connections from legacy apps.

This persistence mechanism ensures the campaign’s longevity, even without active involvement from the original perpetrators.

To counter such threats, organizations should implement continuous automated monitoring for malicious domains, cross-reference APKs, URLs, and hashes against multiple threat intelligence feeds, restrict downloads from unverified sources, and pursue preemptive domain takedowns or blacklisting.

This campaign underscores the evolving tactics in mobile malware distribution, blending phishing with advanced exploitation to compromise user devices globally.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.