A complicated backdoor named Android.Backdoor.Baohuo.1.origin has been found in maliciously modified variations of Telegram X messenger, granting attackers full management over victims’ accounts whereas working undetected.
The malware infiltrates units by way of misleading in-app commercials and third-party app shops, masquerading as legit courting and communication platforms.
With greater than 58,000 contaminated units unfold throughout roughly 3,000 smartphone fashions, tablets, TV containers, and even Android-based car programs, this menace represents a major escalation in cellular malware sophistication.
The backdoor’s distribution started in mid-2024, primarily focusing on Brazilian and Indonesian customers by way of Portuguese and Indonesian language templates.
Victims encounter commercials inside cellular functions that redirect them to counterfeit app catalogs that includes pretend opinions and promotional banners promoting “free video chats” and courting alternatives.
These fraudulent web sites ship trojanized APK recordsdata that seem indistinguishable from legit Telegram X installations.
One of many malicious websites from which the trojan model of Telegram X is downloaded (Supply – Dr.WEB)
Past malicious web sites, the backdoor has infiltrated established third-party app repositories together with APKPure, ApkSum, and AndroidP, the place it was deceptively posted underneath the official messenger developer’s identify regardless of having completely different digital signatures.
Dr.Net analysts recognized the malware’s distinctive functionality to steal confidential data together with login credentials, passwords, and full chat histories.
The backdoor conceals compromised account indicators by hiding third-party system connections from lively Telegram session lists.
Moreover, it autonomously provides or removes customers from channels, joins chats on behalf of victims, and disguises these actions totally, remodeling compromised accounts into instruments for artificially inflating Telegram channel subscribers.
What distinguishes Android.Backdoor.Baohuo.1.origin from typical Android threats is its unprecedented use of Redis database for command-and-control operations.
Earlier variations relied completely on conventional C2 servers, however malware authors progressively built-in Redis-based command reception whereas sustaining C2 server redundancy.
This represents the primary documented occasion of Redis database utilization in Android malware management mechanisms.
When initialized, the backdoor connects to its C2 server to retrieve configuration parameters together with Redis connection credentials, enabling menace actors to subject instructions and replace trojan settings remotely.
Superior Management Mechanisms and Information Exfiltration
The backdoor employs a number of strategies to control messenger performance with out detection.
For operations that don’t intrude with core app options, cybercriminals make the most of pre-prepared “mirrors” of messenger strategies—separate code blocks chargeable for particular duties inside Android program structure.
These mirrors facilitate displaying phishing messages inside home windows that completely replicate genuine Telegram X interfaces.
For non-standard operations requiring deeper integration, the malware leverages the Xposed framework to dynamically modify app strategies, enabling capabilities resembling hiding particular chats, concealing approved units, and intercepting clipboard contents.
By Redis channels and C2 servers, Android.Backdoor.Baohuo.1.origin receives intensive instructions together with importing SMS messages, contacts, and clipboard contents at any time when customers decrease or restore the messenger window.
This clipboard monitoring allows refined knowledge theft situations the place victims inadvertently expose cryptocurrency pockets passwords, mnemonic phrases, or confidential enterprise communications.
The backdoor systematically collects system data, put in software knowledge, message histories, and authentication tokens, transmitting this intelligence to attackers each three minutes whereas sustaining the looks of regular messenger operation.
Observe us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most popular Supply in Google.
