Analysts at Doctor Web have discovered the Baohuo backdoor (Android.Backdoor.Baohuo.1.origin), hidden in modified versions of the Telegram X messenger. In addition to being able to steal a user’s confidential and account data, as well as chat history, the malware has a number of unique features. For example, it can hide connections from third-party devices in Telegram’s list of active sessions.
Additionally, the malware can add and remove the user from Telegram channels, join chats on their behalf and leave them, while concealing these actions.
In effect, Baohuo lets attackers take full control of the victim’s account and the messenger’s functions, while the Trojan itself is used to artificially inflate subscriber counts in Telegram channels.
It is noted that the malware’s operators control it in part via a Redis database, something not previously seen in Android threats. Experts estimate that the total number of Baohuo-infected devices exceeds 58,000.
The malware began spreading in mid-2024, as evidenced by earlier variants discovered during analysis. The primary delivery method for the backdoor is advertising inside mobile applications. Potential victims are shown ads offering to install the Telegram X messenger. When they click the banner, users are redirected to malicious sites, from which the malicious APK is downloaded.
Typically, such sites are styled like an app store, and Telegram X itself is positioned as a platform for easily finding a partner for chatting and dating.
Currently, the malware operators are using banner templates in only two languages: Portuguese (targeting users in Brazil) and Indonesian. In other words, the attackers’ primary targets are residents of Brazil and Indonesia. However, the researchers emphasize that over time the attackers’ interest may extend to users in other countries as well.
Examining the attackers’ network infrastructure made it possible to gauge the scale of their operations. During the analysis, researchers observed roughly 20,000 active Baohuo connections. It was noted that around 3,000 different models of smartphones, tablets, TV set-top boxes, and even cars with Android-based onboard computers were infected.
However, Baohuo is distributed not only through malicious websites. Researchers also found the backdoor in third-party Android app stores (for example, APKPure, ApkSum, and AndroidP). Moreover, on APKPure the malicious app is posted under the name of the messenger’s official developer, even though the digital signatures of the original and the trojanized modification differ. The researchers write that they notified all online platforms where malicious versions of Telegram X were found.
Doctor Web experts have identified several variants of the malware, which were grouped into three main categories of Telegram X modifications:
- versions in which the attackers embedded the backdoor into the messenger’s main executable DEX file;
- versions in which the backdoor, in the form of a patch, is dynamically injected into the executable DEX file using the LSPatch utility;
- versions in which the backdoor resides in a separate DEX file in the app’s resources directory and is loaded dynamically.
Regardless of the modification type, Baohuo initializes when the messenger itself launches, while Telegram X remains fully functional and appears to users as a regular app.
When the malware operators need to perform an action that doesn’t require interfering with the app’s core functionality, they use pre-prepared “mirrors” of the necessary application methods. For example, these can be used to display phishing messages in windows that are visually indistinguishable from genuine Telegram X windows.
If the action is not standard, the Xposed framework is used, which directly alters specific messenger functionality through dynamic method modification. In particular, it is used to hide certain chats and authorized devices, as well as to intercept the contents of the clipboard.
The main difference between early versions of the malware and the current ones lies in how the trojan is controlled. In older modifications, communication with the attackers and receiving tasks from them was implemented in the traditional way—via a command-and-control server. Over time, however, the malware authors added to Baohuo the ability to send additional commands through a Redis database, expanding its functionality and providing themselves with two independent control channels.
In addition, new commands are duplicated via a conventional command-and-control server in case the database becomes unavailable. The report emphasizes that this is the first known instance of using Redis to control Android malware.
During startup, Baohuo connects to an initial command-and-control server to download a configuration, which also contains the Redis connection details. Through this database, the attackers not only send specific commands to the malicious app but also update the trojan’s settings. Among other things, they assign the address of the current command-and-control server as well as the NPS server. The latter is used to connect infected devices to the hackers’ internal network and turn them into proxies for accessing the internet.
Baohuo periodically communicates with the command-and-control server via API calls and can receive the following tasks:
- upload incoming SMS messages and contacts from the infected device’s address book to the server;
- send the clipboard contents to the server when the messenger is minimized and when returning to its window;
- obtain from the server URLs for displaying ads, as well as the server address for downloading a trojan update in the form of an executable DEX file;
- retrieve encryption keys used when sending certain data to the C2 server — for example, the clipboard contents;
- request a set of commands to collect information about the apps installed on the device, message history, contacts from the device’s address book, and devices that are logged into Telegram (the request is made every 30 minutes);
- request from the server a link to download a Telegram X update;
- request from the server a configuration, which is saved as a JSON file;
- request information about the Redis database;
- upload device information to the server on every network activity of the messenger;
- receive from the server a list of bots, which are then added to the Telegram contacts list;
- every three minutes, transmit to the server information about the app’s current permissions, the device state (whether the screen is on or off, whether the app is active), as well as the mobile phone number with the name and password of the Telegram account;
- every minute, request commands in a format similar to Redis database commands.
To receive commands via Redis, the malware connects to the corresponding server, where it registers its own subchannel—the hackers then connect to it. They publish tasks there, which the backdoor executes. The commands in this case are different:
- create a blacklist of chats that will not be displayed to the user in the Telegram X window;
- hide specified devices from the user in the list of devices authorized for their account;
- block for a specified time the display of notifications from chats in the created blacklist;
- show a dialog with information about a Telegram X app update — when tapped, the user is redirected to a specified site;
- send information about all installed apps to the server;
- reset the current Telegram authorization session on the infected device;
- display an update prompt for Telegram X offering the user to install an APK file (if the file is missing, the Trojan downloads it first);
- remove the Telegram Premium badge in the app interface for the current user;
- upload to the server information from Telegram X databases that store chat history, messages, and other sensitive data;
- subscribe the user to a specified Telegram channel;
- leave a specified Telegram channel;
- join a Telegram chat on the user’s behalf via the provided link;
- retrieve the list of devices where the user is logged in to Telegram;
- request the user’s authentication token and send it to the server.
Researchers emphasize that intercepting clipboard data when a user minimizes the messenger and then returns to its window enables various scenarios for stealing sensitive information. For example, a victim might copy a password or a seed phrase for a crypto wallet, the text of an important document to email to business partners, and so on, and Baohuo will capture the data in the clipboard and transmit it to its operators.