The malicious domains, primarily hosted in Chinese language, utilize typosquatting techniques with variations like “teleqram,” “telegramapp,” and “apktelegram” to deceive unsuspecting users. The attack vector begins with QR codes hosted on these domains, which redirect victims to zifeiji[.]asia, a convincingly designed fake Telegram website complete with official-looking favicon, downloadable APK, and authentic theme styling. A sophisticated malware campaign has emerged, leveraging 607 malicious domains to distribute weaponized Android applications masquerading as Telegram Messenger. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Additionally, a JavaScript tracking script hosted at telegramt.net/static/js/ajs.js?v=3 collects device information and browser data, forwarding this intelligence to dszb77[.]com for analysis and user behavior tracking. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Bfore.AI analysts identified this campaign through their PreCrimeâ„¢ Labs threat research division, revealing the operation’s extensive reach across multiple top-level domains. This large-scale operation represents a significant escalation in mobile malware distribution, targeting users across multiple regions through carefully crafted phishing infrastructure. The malware requests extensive permissions including READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE, granting attackers comprehensive access to user data. By utilizing v1 signature schemes, the malicious APK bypasses modern security restrictions and operates undetected on vulnerable devices. The malicious APK files, ranging from 60MB to 70MB in size, are distributed with hash values including MD5 signatures acff2bf000f2a53f7f02def2f105c196 and efddc2dddc849517a06b89095b344647. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. This centralized redirection mechanism allows attackers to maintain control over the distribution process while appearing legitimate to potential victims. The malicious application establishes persistent connections with command-and-control servers, enabling real-time instruction reception and execution. This functionality is achieved through MediaPlayer invocation combined with cleartext traffic protocols including HTTP and FTP, deliberately bypassing secure transmission standards.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 17 Jul 2025 07:50:12 +0000