A new Android threat is rapidly gaining traction, disguised as counterfeit versions of the popular messaging app Telegram X. Security experts from Doctor Web have identified this malicious software as Android.Backdoor.Baohuo.1.origin, labeling it one of the most sophisticated Android backdoors observed this year.
Initially, the Baohuo malware masquerades as a legitimate Telegram X application, which is an official offering from Telegram designed to provide a faster and more experimental user experience. This app is readily available on the Google Play Store, making it all the more deceptive.
Victims typically encounter the fraudulent Telegram X app through online advertisements that promise enhanced features or a dating-focused version of the messenger. Upon installation, the app may seem to function normally; however, it silently connects to remote servers, granting attackers full control over the user’s Telegram account.
The Baohuo malware possesses the ability to conceal unauthorized logins and erase any traces of new or deleted chats and channels. This functionality allows attackers to join, leave, or modify channels without the user’s awareness, effectively granting them complete access to messages, contacts, and sessions, thus managing chats as if they were the account owner.
How Baohuo Works and Its Global Impact: 58,000 Devices Infected
Utilizing the Xposed framework, Baohuo can manipulate app behavior in real-time. This capability enables it to hide chats, devices, and notifications, or to display deceptive update popups that redirect users to malicious websites. Additionally, it creates “mirrors” of legitimate Telegram functions, allowing it to imitate normal app actions while executing its own harmful tasks.
According to Doctor Web analysts, the operation commenced in mid-2024 and has already compromised over 58,000 Android devices, including smartphones, tablets, TV boxes, and even automotive systems. The majority of infections have been reported in India, Brazil, and Indonesia, where users are targeted with localized advertisements crafted in Portuguese and Indonesian.
- India – 22.8%
- Brazil – 20.5%
- Indonesia – 9.6%
- Egypt – 5.5%
- Algeria – 4.0%
- Colombia – 3.1%
- Bangladesh – 2.2%
- Russia – 2.3%
- Iraq – 1.7%
- Pakistan – 1.7%
- Philippines – 1.7%
A New Way of Command and Control
The command-and-control mechanism employed by Baohuo raises significant concerns. Unlike previous Android malware that typically relied on standard command-and-control (C2) servers, Baohuo communicates directly with a Redis database, marking it as the first known Android malware to utilize this method for control.
This innovative approach allows attackers to issue commands seamlessly and maintain operations even if their primary C2 server becomes unavailable. These commands can include uploading SMS messages, contacts, retrieving encryption keys, pushing advertisements, downloading updates, or gathering detailed information about the infected device.
Moreover, Baohuo can intercept clipboard data, capturing anything copied on the device, such as passwords or cryptocurrency wallet recovery phrases, and transmitting this sensitive information directly to the attacker’s server. The malware also performs regular check-ins, relaying details about the user’s activity, including whether the screen is active and the permissions granted to the app.
Found in Popular Third-Party App Stores
Researchers have discovered the malware lurking in well-known third-party app stores like APKPure, ApkSum, and AndroidP. In certain instances, it was falsely attributed to Telegram’s actual developer, despite discrepancies in digital signatures. Doctor Web has taken steps to alert these platforms to the presence of trojanized files.
The company asserts that its mobile antivirus solutions can detect and eliminate all known variants of Baohuo. However, the proliferation of modified Telegram applications on unofficial platforms remains a pressing challenge. Users are strongly advised to download Telegram exclusively from the official Google Play Store or Telegram’s official website and to refrain from installing APKs from links in advertisements or unverified catalogs.
