If you downloaded Telegram outside the Play Store, you might be infected. Researchers at PreCrime Labs (a part of BforeAI) have uncovered a massive malware operation targeting Android users, active since July 2025. The attack involves no fewer than 607 malicious domains that mimic official Telegram download pages to distribute fake, malware-laden apps.
These websites are crafted to deceive users using tactics such as:
Typosquatting (domains with common spelling mistakes)
QR code redirects
SEO-optimized blog-style pages that appear legitimate
All with the goal of making you believe you're downloading Telegram from a trusted source… when in fact, you're letting malware into your device.
Attackers are using a mix of phishing emails, QR codes on social media or messaging apps, and well-designed websites that appear harmless — even professional-looking blogs.
Once a user downloads one of these APK files (between 60 and 70 MB), what they get is a fake version of Telegram that looks and works just like the original, but with a hidden twist: it's designed to spy on you and cause serious issues.
Though it appears legitimate, the fake app actually:
Requests excessive permissions, such as full access to your storage, camera, and microphone
Allows remote command execution, meaning someone can control your phone from elsewhere
Leaks your personal data (messages, files, credentials) using insecure protocols like HTTP or FTP
In other words, you're using what looks like Telegram, but you're really handing over your personal information to cybercriminals.
The websites created by the attackers perfectly mimic Telegram’s visual identity. They use the same colors, logos, and phrases like: “Download from the official Paper Plane website.”
Moreover, these sites are carefully optimized to show up in search results, especially when someone searches for terms like:
“Download Telegram APK”
“Telegram for Android without Play Store”
“Latest Telegram version Android”
This means that if you're not paying close attention, you could easily end up on one of these fake sites without realizing it.
A Blog-Style page distributes a fake Telegram APK that requests dangerous permissions to infect the device
Read more: Scam Designs: How Hackers Use UX/UI to Trick You
One of the most dangerous tricks behind this campaign is the use of an old but effective vulnerability known as Janus (CVE-2017-13156). This flaw affects APKs signed with Android’s v1 signature scheme (yes, the oldest one), allowing malicious code to be injected into a legitimate app without breaking its digital signature. The result? Security checks detect nothing suspicious because the app still appears “legit” to the operating system.
Once installed, this malicious software can do much more than just spy on you. Here are some of its most disturbing capabilities:
Remote command execution: It connects to a server controlled by the attacker and instantly follows commands.
Abuse of the MediaPlayer API: Potentially used to activate the microphone or eavesdrop on your surroundings.
Persistent socket connections: Allowing the attacker real-time control of your device, as if a backdoor is always open.
With this level of access, attackers can:
Steal personal files
Monitor everything you do on your phone
Launch further attacks from within by downloading more malware or secondary apps
Researchers also discovered that an earlier version of the malware connected to a Firebase endpoint: tmessages2[.]firebaseio[.]com.
This endpoint has since been taken down, but the risk hasn’t gone away. Why? Because if someone registers a new Firebase project with the same identifier, infected devices could automatically reconnect without the user knowing. In other words, the malware could “come back to life” if the infrastructure is reactivated.
Another alarming technical element is a malicious tracking script hosted at ajs.jstelegramt[.]net, which was responsible for:
Collecting device and browser fingerprint data
Sending that data to attacker-controlled servers
Including dormant code that could display fake download banners targeting Android users
This type of code is ideal for redirection campaigns, where attackers can push fake ads or redirect users to new malicious apps disguised as legitimate ones.
Analyzing the 607 domains used to distribute the Telegram-themed malware, researchers noticed something interesting: attackers combined popular, trustworthy TLDs with cheaper, less regulated ones, striking a balance between credibility and cost-effectiveness. Here’s how the domains break down by TLD:
.com: 316 domains
.top: 87
.xyz: 59
.online: 31
.site: 24
This pattern suggests a well-thought-out strategy: use familiar extensions like .com to build user trust, while leveraging cheaper TLDs to scale the campaign at low cost.
Most of these domains were registered through Gname, a registrar based in Asia, and hosted on servers in China — making it much harder to take them down through legal channels.
Read more: Discovering the Telegram channels of the Dark Web
Don’t install APKs from unofficial sources (Google Play, AppGallery, etc.)
Verify app signatures if you must install from external sources (though it’s best not to)
Keep Android updated, especially if your device is older than Android 8.0
Use a mobile antivirus that checks both app installation and behavior
Be wary of downloads via QR codes, emails, blogs, or suspicious links
Campaigns like this show how attackers are combining traditional phishing tactics with modern SEO and web design strategies to appear more convincing than ever—on a massive scale.
If you're an Android user, the golden rule is simple: Never download Telegram (or any app) from unofficial websites.