A newly observed Android malware campaign is leveraging more than 600 malicious domains to distribute counterfeit versions of the Telegram messaging app. The operation, which primarily targets Chinese-speaking users, has raised concerns in the cybersecurity community due to its scale, sophistication, and exploitation of old Android vulnerabilities.
Researchers identified 607 domains used to host lookalike Telegram download pages. These domains employ minor spelling alterations—such as “teleqram” or “telegramdl”—to trick users into believing they are legitimate sources. Many of the sites impersonate blog or fan pages and employ Telegram branding to lend an air of credibility. They are frequently titled with Chinese-language phrases like “Paper Plane Official Website Download,” which is a colloquial reference to Telegram. These platforms often include search-optimized content designed to attract users looking for Telegram APKs outside of official stores.
Once a user lands on one of the fake pages, they are prompted to download an Android Package (APK) file purporting to be Telegram. The download typically ranges between 60 and 70 megabytes, closely mirroring the size of the genuine app. Upon installation, the fake application convincingly mimics Telegram’s user interface. However, beneath the surface, it immediately requests an extensive set of permissions. These permissions enable the malicious app to access external storage, gather device information, and perform remote actions.
The malware communicates with its command-and-control servers using cleartext protocols such as HTTP and FTP. This increases the risk of interception and data leaks in transit. Researchers also report that some versions of the rogue app make use of the CVE-2017-13156 vulnerability—commonly known as the Janus flaw. This vulnerability, affecting Android versions 5.0 through 8.0, allows attackers to alter APK files in a way that injects harmful code without breaking their digital signatures. As a result, the malware can bypass certain verification checks and avoid detection on less-secure devices.
What sets this campaign apart is not just the volume of domains involved, but the methodical, targeted nature of the distribution. By maintaining a vast network of phishing sites, the actors behind the campaign increase their likelihood of ensnaring users who seek alternative download sources—intentionally or otherwise.
