A sophisticated backdoor, identified as Android.Backdoor.Baohuo.1.origin, has been discovered embedded within maliciously modified versions of the Telegram X messenger app. This malware grants attackers complete control over victims’ devices, enabling them to operate undetected.
Distribution and Infection Mechanism
The malware infiltrates devices through deceptive in-app advertisements and third-party app stores, masquerading as legitimate dating and communication platforms. Victims encounter advertisements within mobile applications that redirect them to counterfeit app catalogs featuring fake reviews and promotional banners advertising free video chats and dating opportunities. These fraudulent websites deliver trojanized APK files that appear indistinguishable from legitimate Telegram X installations.
Beyond malicious websites, the backdoor has infiltrated established third-party app repositories including APKPure, ApkSum, and AndroidP, where it was deceptively posted under the official messenger developer’s name despite having different digital signatures.
Scope of Infection
Since mid-2024, over 58,000 devices—including smartphones, tablets, TV boxes, and Android-based vehicle systems—have been compromised. The primary targets are users in Brazil and Indonesia, with the malware utilizing Portuguese and Indonesian language templates to enhance its deceptive appeal.
Capabilities and Data Exfiltration
Dr.Web analysts have identified the malware’s exceptional capability to steal confidential information, including login credentials, passwords, and complete chat histories. The backdoor conceals compromised account indicators by hiding third-party device connections from active Telegram session lists. Additionally, it autonomously adds or removes users from channels, joins chats on behalf of victims, and disguises these actions entirely, transforming compromised accounts into tools for artificially inflating Telegram channel subscribers.
The backdoor employs multiple techniques to manipulate messenger functionality without detection. For operations that don’t interfere with core app features, cybercriminals utilize pre-prepared mirrors of messenger methods—separate code blocks responsible for specific tasks within Android program architecture. These mirrors facilitate displaying phishing messages within windows that perfectly replicate authentic Telegram X interfaces.
For non-standard operations requiring deeper integration, the malware leverages the Xposed framework to dynamically modify app methods, enabling capabilities such as hiding specific chats, concealing authorized devices, and intercepting clipboard contents.
Through Redis channels and C2 servers, Android.Backdoor.Baohuo.1.origin receives extensive commands including uploading SMS messages, contacts, and clipboard contents whenever users minimize or restore the messenger window. This clipboard monitoring enables sophisticated data theft scenarios where victims inadvertently expose cryptocurrency wallet passwords, mnemonic phrases, or confidential business communications.
The backdoor systematically collects device information, installed application data, message histories, and authentication tokens, transmitting this intelligence to attackers every three minutes while maintaining the appearance of normal messenger operation.
Innovative Command-and-Control Mechanism
A distinguishing feature of Android.Backdoor.Baohuo.1.origin is its unprecedented use of Redis databases for command-and-control (C2) operations. While earlier versions relied solely on traditional C2 servers, the malware authors have integrated Redis-based command reception, marking the first documented instance of Redis utilization in Android malware control mechanisms.
Upon initialization, the backdoor connects to its C2 server to retrieve configuration parameters, including Redis connection credentials. This setup allows threat actors to issue commands and update trojan settings remotely, enhancing the malware’s adaptability and resilience.
Implications and Recommendations
The discovery of Android.Backdoor.Baohuo.1.origin underscores the evolving sophistication of mobile malware and the increasing risks associated with downloading applications from unofficial sources. Users are strongly advised to:
– Download Apps from Official Sources: Always obtain applications from reputable platforms like the Google Play Store to minimize the risk of malware infection.
– Verify App Authenticity: Scrutinize app reviews, developer information, and permissions requested during installation to detect potential red flags.
– Keep Software Updated: Regularly update your device’s operating system and applications to benefit from the latest security patches.
– Utilize Security Solutions: Employ reputable mobile security software to detect and prevent malware infections.
By adhering to these practices, users can significantly reduce their vulnerability to such sophisticated threats.
