top of page
    Search

    Hackers Deploy Malicious Telegram APKs via Hundreds of Typosquatted Domains

    • Aaron Isaacs, PhD
    • Feb 18
    • 2 min read

    Updated: Mar 16

    A large Android malware campaign is distributing fake Telegram APKs through hundreds of typosquatted domains. Learn how the campaign works, indicators of compromise, immediate mitigations, and how the Isaacs Group can help secure mobile fleets and respond to supply‑chain threats.


    Security researchers reported a widespread campaign that lures users to typosquatted sites and QR landing pages to download malicious Telegram APKs. The rogue apps request broad permissions, use outdated signing, and include remote command execution capabilities and persistent control channels. This post summarizes the technical details, indicators of compromise, recommended remediations, and a practical call to action for security teams.


    Understanding the Threat Landscape


    What Happened


    Attackers registered hundreds of domains that mimic Telegram branding. They publish pages and QR codes that point to sideloadable APKs.


    The malicious APKs:

    • Are distributed from typosquatted and SEO-poisoned landing pages.

    • Use outdated Android signing (v1) and insecure download channels, increasing risk on older Android versions.

    • Request broad permissions such as external storage access and create persistent control channels enabling remote command execution.

    • Leverage misconfigured or abandoned cloud endpoints to maintain control and persistence even after takedowns.


    Malware Campaign

    Indicators of Compromise


    Domains and Artifacts to Block and Monitor


    • Typosquat domain examples and patterns used to mimic Telegram branding.

    • Known malicious JavaScript fingerprinting file: https://telegramt.net/static/js/js.js?v=3.

    • C2/analytics domain observed: `dszb7[.]com`.


    Sample APK Hashes


    • MD5: `acff2bf000f2a53f7f02ef2f105c196`

    • MD5: `efddc2dddc849517a06b89095b44647`

    • SHA‑1: `9650ae4f4cb81602700bafe81d96e895aeb6aa5`

    • SHA‑1: `6f643666728eebc1c48b497f84f5c4d252fe1bc`


    Ingest these IOCs into your threat intelligence platform, DNS filtering, and endpoint protection tools. Monitor for similar typosquat patterns and newly registered domains that mimic your brand or common third-party services.


    Immediate Actions for Security Teams


    1. Block and Monitor: Block and monitor the listed domains, typosquat patterns, and C2 hosts at DNS, web proxy, and perimeter firewalls.

    2. Harden Android Device Policies: Disable sideloading for corporate devices, enforce managed Google Play, and require Play Protect and MTD (Mobile Threat Defense).

    3. Patch and Isolate Devices: Patch and isolate devices running Android 5.0–8.0 or otherwise vulnerable to legacy signing issues; apply mitigations or remove them from sensitive networks.

    4. Detect Anomalous Behavior: Add SIEM rules for unexpected outbound connections, unusual MediaPlayer/socket activity, and suspicious Firebase access.

    5. Coordinate Takedowns: Work with registrars, hosting providers, and search engines to remove malicious pages and QR landing hubs; automate monitoring for new typosquat registrations.


    How the Isaacs Group Can Help


    The Isaacs Group provides a focused program to reduce mobile supply‑chain risk and accelerate response:


    • Threat Intelligence Operationalization: Ingest and operationalize IOCs across DNS, proxy, EDR, and SIEM.

    • Mobile Fleet Hardening: MDM/EMM policy design, managed Google Play enforcement, and Mobile Threat Defense deployment.

    • Detection and Response: Custom SIEM rules, mobile compromise playbooks, and rapid containment for C2 and cloud endpoint hijacks.

    • Incident Readiness and Takedown Support: Tabletop exercises, takedown coordination with registrars and hosting providers, and vendor remediation assistance.


    Contact the Isaacs Group for a targeted mobile supply‑chain risk assessment and a prioritized remediation plan tailored to your environment.



    In conclusion, staying vigilant against these threats is crucial. Implementing robust security measures and leveraging expert support can significantly enhance your organization's cybersecurity posture. Don't wait for an incident to occur. Act now to secure your mobile environment and protect your assets.


    Source: CyberPress / PreCrime Labs

     
     
     

    Comments

    bottom of page