A sophisticated backdoor named Android.Backdoor.Baohuo.1.origin has been discovered in maliciously modified versions of Telegram X messenger, granting attackers complete control over victims\u2019 accounts while operating undetected.<\/p>\n
The malware infiltrates devices through deceptive in-app advertisements and third-party app stores, masquerading as legitimate dating and communication platforms.<\/p>\n
With more than 58,000 infected devices spread across approximately 3,000 smartphone models, tablets, TV boxes, and even Android-based vehicle systems, this threat represents a significant escalation in mobile malware sophistication.<\/p>\n
The backdoor\u2019s distribution began in mid-2024, primarily targeting Brazilian and Indonesian users through Portuguese and Indonesian language templates.<\/p>\n
Victims encounter advertisements within mobile applications that redirect them to counterfeit app catalogs featuring fake reviews and promotional banners advertising \u201cfree video chats\u201d and dating opportunities.<\/p>\n
These fraudulent websites<\/a> deliver trojanized APK files that appear indistinguishable from legitimate Telegram X installations.<\/p>\n Beyond malicious websites, the backdoor has infiltrated established third-party app repositories including APKPure, ApkSum, and AndroidP, where it was deceptively posted under the official messenger developer\u2019s name despite having different digital signatures.<\/p>\n Dr.Web analysts identified<\/a> the malware\u2019s exceptional capability to steal confidential information including login credentials, passwords, and complete chat histories.<\/p>\n The backdoor conceals compromised account indicators by hiding third-party device connections from active Telegram session lists.<\/p>\n Additionally, it autonomously adds or removes users from channels, joins chats on behalf of victims, and disguises these actions entirely, transforming compromised accounts into tools for artificially inflating Telegram channel subscribers.<\/p>\n What distinguishes Android.Backdoor.Baohuo.1.origin from conventional Android threats is its unprecedented use of Redis database for command-and-control operations.<\/p>\n Earlier versions relied exclusively on traditional C2 servers, but malware authors progressively integrated Redis-based command reception while maintaining C2 server redundancy.<\/p>\n This represents the first documented instance of Redis database utilization in Android malware control mechanisms.<\/p>\n When initialized, the backdoor connects to its C2 server to retrieve configuration parameters including Redis connection credentials, enabling threat actors to issue commands and update trojan settings remotely.<\/p>\n The backdoor employs multiple techniques to manipulate messenger functionality without detection.<\/p>\n For operations that don\u2019t interfere with core app features, cybercriminals utilize pre-prepared \u201cmirrors\u201d of messenger methods\u2014separate code blocks responsible for specific tasks within Android program architecture.<\/p>\n These mirrors facilitate displaying phishing messages<\/a> within windows that perfectly replicate authentic Telegram X interfaces.<\/p>\n For non-standard operations requiring deeper integration, the malware leverages the Xposed framework to dynamically modify app methods, enabling capabilities such as hiding specific chats, concealing authorized devices, and intercepting clipboard contents.<\/p>\n Through Redis channels and C2 servers, Android.Backdoor.Baohuo.1.origin receives extensive commands including uploading SMS messages, contacts, and clipboard contents whenever users minimize or restore the messenger window.<\/p>\n This clipboard monitoring enables sophisticated data theft<\/a> scenarios where victims inadvertently expose cryptocurrency wallet passwords, mnemonic phrases, or confidential business communications.<\/p>\n The backdoor systematically collects device information, installed application data, message histories, and authentication tokens, transmitting this intelligence to attackers every three minutes while maintaining the appearance of normal messenger operation.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Hackers Weaponizing Telegram Messenger with Dangerous Android Malware to Gain Full System Control<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjc7By5VK0rW-MEb6coVH5QcqspCHqKliCpTR4Pm_IoSa5n3MDeH8jUYfGeOs9T0AZZy96zdPnNLHhsc3aTaVs8QClsV8ESNil2pQ24VADTEO6JagK5-XFjqZIMsW9Tpg9i9qddUgmu6d0Yr5ZgfhlvF3YD8Gta13pUErsgfQ3FYjIX220ccvlteSccNlI\/s16000\/One%2520of%2520the%2520malicious%2520sites%2520from%2520which%2520the%2520trojan%2520version%2520of%2520Telegram%2520X%2520is%2520downloaded%2520%28Source%2520-%2520Dr.WEB%29.webp?ssl=1\")
Advanced Control Mechanisms and Data Exfiltration<\/strong><\/h2>\n