Remote Command Execution Unleashed – Hackers Deploy APK Malware via 607 Malicious Domains

Cybersecurity researchers at PreCrime Labs, the threat research division of BforeAI, have uncovered a massive malicious campaign involving 607 domains that are actively distributing fake Telegram Messenger applications.

The sophisticated operation, primarily targeting Chinese-speaking users, leverages advanced Android vulnerabilities to enable remote command execution and data theft on compromised devices.

Elaborate QR Code Deception Campaign

The threat actors have orchestrated an intricate distribution network where malicious domains host QR codes that redirect victims to zifeiji[.]asia, a convincing replica of Telegram’s official website complete with authentic-looking favicons, downloadable APKs, and official theming.

The fraudulent sites feature Chinese-language page titles claiming to be “Paper Plane Official Website Entrance” while distributing malicious Telegram imposters.

Two distinct APK files, measuring 60MB and 70MB, respectively, have been identified by their specific hash values.

The MD5 signatures acff2bf000f2a53f7f02def2f105c196 and efddc2dddc849517a06b89095b344647 correspond to SHA-1 hashes 9650ae4f4cb81602700bafe81d96e8951aeb6aa5 and 6f643666728ee9bc1c48b497f84f5c4d252fe1bc.

These applications exploit the Janus vulnerability affecting Android versions 5.0 through 8.0 by utilizing deprecated v1 signature schemes, allowing attackers to bypass modern security restrictions.

Technical Infrastructure and Remote Control Capabilities

The malicious APKs demonstrate sophisticated technical capabilities, including cleartext traffic protocols (HTTP/FTP/DownloadManager) that bypass secure transmission standards.

Most concerning is the application’s ability to invoke MediaPlayer functionality and execute remote commands through socket-based callbacks, enabling real-time device control, surveillance, and data exfiltration.

Analysis reveals that the domains were registered through the Gname registrar and utilize typosquatting techniques, with variations such as “teleqram,” “telegramapp,” and “apktelegram.”

The campaign spans multiple top-level domains, with .com domains representing the most significant segment (316 instances), followed by .top (87), .xyz (59), .online (31), and .site (24).

A particularly troubling discovery involves the deactivated Firebase database at “tmessages2.firebaseio.com.”

Security researchers warn that any cybercriminal could potentially reactivate this instance by registering a new Firebase project with the same name, effectively hijacking connections from previously distributed malicious applications.

Critical Security Implications

The campaign’s JavaScript tracking component, hosted at telegramt.net/static/js/ajs.js, actively detects user device types and transmits collected browser and domain information to external servers for analytics and behavioral tracking.

This infrastructure demonstrates the operation’s sophisticated approach to user profiling and targeting.

Security experts recommend deploying continuous, automated threat monitoring solutions, leveraging multiple threat intelligence platforms for APK verification, and implementing strict policies that prohibit application downloads from unverified sources.

Organizations should also facilitate preemptive takedowns of malicious domains before they become operational, disrupting these campaigns in their early stages.