A sophisticated backdoor named Android.Backdoor.Baohuo.1.origin has been discovered in maliciously modified versions of Telegram X Messenger, granting attackers full control over victims’ accounts without being detected.
The malware infiltrates devices via deceptive advertisements in apps and third-party app stores, masquerading as legitimate dating and communication platforms.
With more than 58,000 infected devices spread across approximately 3,000 models of Android-based smartphones, tablets, TV boxes and even vehicle systems, this threat represents a significant escalation in the sophistication of mobile malware.
Distribution of the backdoor began in mid-2024, primarily targeting Brazilian and Indonesian users via Portuguese and Indonesian language models.
Victims encounter ads in mobile apps that redirect them to counterfeit app catalogs containing fake reviews and promotional banners advertising “free video chats” and dating opportunities.
These scam websites deliver trojanized APK files that appear indistinguishable from legitimate Telegram X installations.
Beyond malicious websites, the backdoor infiltrated established third-party app repositories, including APKPure, ApkSum, and AndroidP, where it was deceptively published under the name of the messenger’s official developer despite having different digital signatures.
Dr.Web Analysts identified the malware’s exceptional ability to steal confidential information, including login credentials, passwords and entire chat histories.
The backdoor conceals compromised account indicators by hiding third-party device connections from active Telegram session lists.
Moreover, it autonomously adds or removes users from channels, joins chats on behalf of victims and completely conceals these actions, turning compromised accounts into tools for artificially increasing the number of subscribers to Telegram channels.
What sets Android.Backdoor.Baohuo.1.origin apart from conventional Android threats is its unprecedented use of the Redis database for command and control operations.
Previous versions relied exclusively on traditional C2 servers, but malware authors have gradually integrated Redis-based command receiving while maintaining the redundancy of C2 servers.
This is the first documented example of Redis database use in Android malware control mechanisms.
Once initialized, the backdoor connects to its C2 server to retrieve configuration settings, including Redis login credentials, allowing malicious actors to issue commands and update the Trojan settings remotely.
Advanced control mechanisms and data exfiltration
The backdoor uses several techniques to manipulate email functionality without detection.
For operations that do not interfere with the main functionality of the application, cybercriminals use pre-prepared “mirrors” of messaging methods: separate blocks of code responsible for specific tasks within the Android program architecture.
These mirrors make it easy to display phishing messages in windows that perfectly replicate genuine Telegram X interfaces.
For non-standard operations requiring deeper integration, the malware leverages the Xposed framework to dynamically change application methods, enabling features such as hiding specific chats, hiding authorized devices, and intercepting clipboard contents.
Through Redis channels and C2 servers, Android.Backdoor.Baohuo.1.origin receives full commands, including downloading SMS messages, contacts, and clipboard contents every time users minimize or restore the mail window.
This clipboard monitoring enables sophisticated data theft scenarios in which victims inadvertently expose cryptocurrency wallet passwords, mnemonic phrases, or confidential business communications.
The backdoor systematically collects device information, installed app data, message history, and authentication tokens, transmitting this information to attackers every three minutes while maintaining the appearance of normal email operation.
Follow us on Google News, LinkedInAnd X to get more instant updates, Set CSN as your preferred source in Google.
