A sophisticated backdoor, identified as Android.Backdoor.Baohuo.1.origin, has emerged within maliciously altered versions of the Telegram X messenger. This malware grants attackers comprehensive control over victims’ accounts while remaining undetected, marking a notable advancement in mobile malware capabilities.
The infiltration occurs through misleading in-app advertisements and third-party app stores, where the malware masquerades as legitimate dating and communication applications. Currently, over 58,000 devices have been compromised, affecting around 3,000 different smartphone models, tablets, TV boxes, and even Android-based vehicle systems. This widespread threat underscores a significant escalation in the sophistication of mobile malware.
The distribution of this backdoor began in mid-2024, with a primary focus on Brazilian and Indonesian users, utilizing Portuguese and Indonesian language templates to enhance its effectiveness. Victims are often lured by advertisements within mobile applications that redirect them to counterfeit app catalogs. These sites feature fake reviews and promotional banners that entice users with offers for “free video chats” and dating opportunities.
In addition to malicious websites, the backdoor has infiltrated well-known third-party app repositories such as APKPure, ApkSum, and AndroidP. Here, it has been deceptively listed under the official developer’s name, despite possessing different digital signatures. Analysts from Dr.Web have highlighted the malware’s remarkable ability to exfiltrate sensitive information, including login credentials, passwords, and complete chat histories.
The backdoor cleverly conceals signs of compromised accounts by hiding third-party device connections from active Telegram session lists. It autonomously manages user interactions, such as adding or removing users from channels and joining chats on behalf of victims, all while disguising these actions. This capability allows compromised accounts to be exploited for artificially inflating subscriber counts on Telegram channels.
What sets Android.Backdoor.Baohuo.1.origin apart from traditional Android threats is its innovative use of a Redis database for command-and-control operations. Previous iterations relied solely on conventional C2 servers; however, malware authors have progressively integrated Redis-based command reception, while still maintaining redundancy with C2 servers. This represents the first documented case of Redis database utilization in Android malware control mechanisms.
Advanced Control Mechanisms and Data Exfiltration
Employing a range of techniques, the backdoor manipulates messenger functionality without detection. For operations that do not interfere with core app features, cybercriminals utilize pre-prepared “mirrors” of messenger methods—distinct code blocks responsible for specific tasks within the Android architecture. These mirrors facilitate the display of phishing messages within windows that closely resemble authentic Telegram X interfaces.
For operations requiring deeper integration, the malware leverages the Xposed framework to dynamically alter app methods. This enables capabilities such as hiding specific chats, concealing authorized devices, and intercepting clipboard contents. Through Redis channels and C2 servers, Android.Backdoor.Baohuo.1.origin receives extensive commands, including the ability to upload SMS messages, contacts, and clipboard contents whenever users minimize or restore the messenger window.
This clipboard monitoring feature allows for sophisticated data theft scenarios, where victims may inadvertently expose sensitive information such as cryptocurrency wallet passwords, mnemonic phrases, or confidential business communications. The backdoor systematically gathers device information, installed application data, message histories, and authentication tokens, transmitting this intelligence to attackers every three minutes while maintaining the facade of normal messenger operation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
