A sophisticated cyberattack campaign has been identified, involving the use of 607 malicious domains to distribute Android malware disguised as legitimate Telegram Messenger applications. This large-scale operation highlights the evolving tactics of cybercriminals in targeting mobile users through deceptive means.
Deceptive Distribution Tactics
The attackers employ typosquatting techniques, registering domains with slight variations of the official Telegram name, such as teleqram, telegramapp, and apktelegram. These domains host counterfeit websites that closely mimic the legitimate Telegram download page, complete with authentic-looking favicons, download buttons, and thematic styling. Users are often redirected to these sites via QR codes, a method that adds a layer of credibility and convenience, thereby increasing the likelihood of successful deception.
Technical Sophistication and Exploitation
The malicious APK files distributed through these domains are notably large, ranging from 60MB to 70MB, and are signed using the older v1 signature scheme. This approach exploits the Janus vulnerability (CVE-2017-13156), which affects Android versions 5.0 through 8.0. By leveraging this vulnerability, the malware can insert harmful code into a legitimate APK without altering its signature, allowing it to bypass standard detection methods and operate undetected on vulnerable devices.
Remote Command Execution Capabilities
Once installed, the malware establishes persistent connections with command-and-control servers, enabling real-time reception and execution of remote commands. This is achieved through socket-based callbacks and the invocation of MediaPlayer, combined with the use of cleartext traffic protocols such as HTTP and FTP. These methods deliberately bypass secure transmission standards, granting attackers extensive control over the compromised device. The malware also requests broad permissions, including READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE, providing attackers with comprehensive access to user data.
Infrastructure and Tracking Mechanisms
The campaign’s infrastructure is extensive, with the majority of the 607 malicious domains registered through the Gname registrar and hosted in China. The distribution strategy spans multiple top-level domains, including .com (316 instances), .top (87 instances), and .xyz (59 instances), enhancing the campaign’s resilience against takedown efforts. Additionally, the malware incorporates a JavaScript tracking script hosted at telegramt.net/static/js/ajs.js?v=3, which collects device and browser information and forwards this data to dszb77[.]com for analysis and user behavior tracking.
Preventive Measures and Recommendations
To mitigate the risks associated with such sophisticated malware campaigns, users are advised to:
– Download Apps from Official Sources: Always obtain applications from trusted sources like the Google Play Store or the Samsung Galaxy Store.
– Enable Google Play Protect: This feature scans apps for malware and provides alerts about potential security threats.
– Use Reputable Antivirus Software: Installing and regularly updating a trusted antivirus application can provide an additional layer of security.
– Be Cautious with QR Codes: Avoid scanning QR codes from unverified sources, as they can redirect to malicious websites.
– Keep Devices Updated: Regularly update your device’s operating system and applications to patch known vulnerabilities.
By adhering to these practices, users can significantly reduce the risk of falling victim to such deceptive and harmful cyberattacks.
