A sophisticated backdoor named Android.Backdoor.Baohuo.1.origin has been discovered in maliciously modified versions of Telegram X messenger, granting attackers complete control over victims’ accounts while operating undetected.
The malware infiltrates devices through deceptive in-app advertisements and third-party app stores, masquerading as legitimate dating and communication platforms.
With more than 58,000 infected devices spread across approximately 3,000 smartphone models, tablets, TV boxes, and even Android-based vehicle systems, this threat represents a significant escalation in mobile malware sophistication.
The backdoor’s distribution began in mid-2024, primarily targeting Brazilian and Indonesian users through Portuguese and Indonesian language templates.
Victims encounter advertisements within mobile applications that redirect them to counterfeit app catalogs featuring fake reviews and promotional banners advertising “free video chats” and dating opportunities.
These fraudulent websites deliver trojanized APK files that appear indistinguishable from legitimate Telegram X installations.
.webp "Hackers Weaponizing Telegram Messenger with Dangerous Android Malware to Gain Full System Control 3")
Beyond malicious websites, the backdoor has infiltrated established third-party app repositories including APKPure, ApkSum, and AndroidP, where it was deceptively posted under the official messenger developer’s name despite having different digital signatures.
Dr.Web analysts identified the malware’s exceptional capability to steal confidential information including login credentials, passwords, and complete chat histories.
The backdoor conceals compromised account indicators by hiding third-party device connections from active Telegram session lists.
Additionally, it autonomously adds or removes users from channels, joins chats on behalf of victims, and disguises these actions entirely, transforming compromised accounts into tools for artificially inflating Telegram channel subscribers.
What distinguishes Android.Backdoor.Baohuo.1.origin from conventional Android threats is its unprecedented use of Redis database for command-and-control operations.
Earlier versions relied exclusively on traditional C2 servers, but malware authors progressively integrated Redis-based command reception while maintaining C2 server redundancy.
This represents the first documented instance of Redis database utilization in Android malware control mechanisms.
When initialized, the backdoor connects to its C2 server to retrieve configuration parameters including Redis connection credentials, enabling threat actors to issue commands and update trojan settings remotely.
Advanced Control Mechanisms and Data Exfiltration
The backdoor employs multiple techniques to manipulate messenger functionality without detection.
For operations that don’t interfere with core app features, cybercriminals utilize pre-prepared “mirrors” of messenger methods—separate code blocks responsible for specific tasks within Android program architecture.
These mirrors facilitate displaying phishing messages within windows that perfectly replicate authentic Telegram X interfaces.
For non-standard operations requiring deeper integration, the malware leverages the Xposed framework to dynamically modify app methods, enabling capabilities such as hiding specific chats, concealing authorized devices, and intercepting clipboard contents.
Through Redis channels and C2 servers, Android.Backdoor.Baohuo.1.origin receives extensive commands including uploading SMS messages, contacts, and clipboard contents whenever users minimize or restore the messenger window.
This clipboard monitoring enables sophisticated data theft scenarios where victims inadvertently expose cryptocurrency wallet passwords, mnemonic phrases, or confidential business communications.
The backdoor systematically collects device information, installed application data, message histories, and authentication tokens, transmitting this intelligence to attackers every three minutes while maintaining the appearance of normal messenger operation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
