Security researchers at Doctor Web have recently identified a highly sophisticated Android backdoor, cleverly disguised as Telegram X, which grants cybercriminals extensive control over victims’ accounts and devices. This malware, designated as Android.Backdoor.Baohuo.1.origin, has already compromised over 58,000 devices globally, with around 20,000 active infections currently under surveillance. This development marks a notable advancement in mobile malware capabilities, incorporating unprecedented control mechanisms through Redis database integration—an approach not previously documented in Android threats.
The backdoor primarily propagates through malicious websites masquerading as app catalogs, enticing users with deceptive advertisements that promise dating and video chat functionalities. Alarmingly, approximately 3,000 different models—including smartphones, tablets, TV box sets, and even vehicles equipped with Android-based on-board systems—have fallen victim to this malware.
Victims often encounter misleading banners within legitimate mobile applications, which redirect them to fraudulent sites that mimic official app stores. These malicious websites prominently display testimonials from purportedly satisfied users discussing the ease of finding partners and communicating, complete with fabricated screenshots of video calling interfaces. Doctor Web’s analysis indicates that the cybercriminals have specifically tailored their attacks for the Brazilian and Indonesian markets, with malicious templates available solely in Portuguese and Indonesian. However, researchers caution that attackers may broaden their targeting to additional countries in the future.
The compromised versions of Telegram X have also appeared on third-party app stores, including APKPure, ApkSum, and AndroidP, where they are fraudulently distributed under the guise of the official Telegram developer’s identity, despite differing digital signatures from legitimate versions.
Unprecedented Capabilities
What sets Android.Backdoor.Baohuo.1.origin apart from conventional Android malware is its remarkable level of account manipulation. Beyond merely stealing credentials, chat histories, and personal data, the backdoor can meticulously conceal evidence of compromise by hiding unauthorized device connections from the victim’s active sessions list. The malware autonomously adds and removes users from Telegram channels and joins chats on behalf of the victim, all while remaining undetected.
The backdoor operates through three distinct modification variants, which range from direct embedding in the messenger’s main executable to dynamic loading via LSPatch tool injection. Regardless of the deployment method, the malicious messenger remains fully functional—a crucial characteristic that prevents user suspicion while allowing complete attacker control over messaging functionalities.
The malware’s command and control architecture introduces a groundbreaking technique within the Android threat landscape. While earlier variants relied on traditional command and control (C2) servers, current iterations utilize Redis database infrastructure for command delivery—an unprecedented approach in mobile malware. This dual-channel system ensures operational redundancy; if the Redis connection fails, the malware automatically reverts to standard C2 server communication.
Furthermore, the backdoor continuously extracts data streams, including SMS messages, contact lists, and clipboard contents. Particularly concerning is its clipboard interception capability, which captures sensitive information when users minimize the messenger—potentially exposing cryptocurrency wallet seeds, passwords, and confidential documents copied for legitimate purposes. Every three minutes, the malware uploads device permissions, screen status, and Telegram authentication credentials to attacker servers.
Doctor Web’s telemetry indicates that approximately 3,000 distinct Android devices have been compromised, encompassing smartphones, tablets, television boxes, and even vehicles with Android-based operating systems. While Brazil and Indonesia serve as primary infection vectors, the global distribution highlights the threat’s extensive reach and the sophisticated infrastructure that supports the ongoing evolution of this malware.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
