Android.Backdoor.Baohuo.1.origin

Android.Backdoor.Baohuo.1.origin is an Android backdoor embedded in maliciously modified and unofficial Telegram X messenger builds. Doctor Web reported it was distributed through malicious websites promoted via in-app advertisements and through third-party Android app catalogs, with targeting focused primarily on users in Indonesia and Brazil. The malware has also been observed in app-catalog lookalike sites and third-party stores including APKPure, ApkSum, and AndroidP. Distribution reportedly began in mid-2024, and Doctor Web estimated infections exceeded 58,000 devices across roughly 3,000 Android device models, including smartphones, tablets, TV boxes, and Android-based in-vehicle systems.

Its core capability is Telegram account takeover and covert control of the messenger. Reported functionality includes stealing Telegram logins and passwords, account phone number, Telegram account name, chat history, contacts, authorized-device/session information, SMS messages, contacts, clipboard contents, installed-app information, and device telemetry. Doctor Web stated attackers can gain full control over the victim’s Telegram account and messenger behavior, including joining or leaving chats and channels on the victim’s behalf, adding or removing victims from channels, concealing newly authorized devices or third-party session connections in Telegram, and hiding certain attacker-driven actions and messages. The malware can also display phishing windows indistinguishable from legitimate Telegram X windows and was described as being used to boost Telegram channel subscriber counts.

Technically, Doctor Web reported multiple implant approaches in trojanized Telegram X variants: code embedded in the main DEX, dynamically loaded as a patch using LSPatch, or placed in a separate DEX under resources and loaded dynamically. The backdoor initializes when the trojanized messenger launches while preserving normal app functionality. It can use the Xposed framework to modify app methods dynamically, including hiding chats or devices and stealing clipboard data. For command and control, Doctor Web reported older versions used a traditional C2 server, while later versions also used a Redis database for command delivery and settings updates, with C2 fallback retained. Doctor Web described Redis-based control as previously unseen in Android malware. The malware reportedly connects to an initial C2 server to retrieve configuration such as Redis connection details, and Redis can be used to update current C2 and NPS server addresses. Doctor Web also stated the malware can use an NPS server to connect infected devices to an attacker intranet and turn them into Internet proxies.

High-confidence indicators and behaviors directly mentioned in the reporting include use of unofficial Telegram X APKs, malicious websites and third-party app catalogs as infection vectors, credential theft from Telegram accounts, exfiltration of SMS, contacts, clipboard contents, Telegram data and tokens, covert manipulation of Telegram sessions and channel membership, Xposed/LSPatch-based app modification, and dual control via both a conventional C2 server and Redis.