Baohuo Backdoor Hijacks 58,000 Telegram X Accounts for Covert Takeover
The malicious modification of Telegram X, discovered by specialists at Doctor Web, turned out to be far more than a simple espionage tool—it is a fully fledged platform for the covert takeover and remote control of user accounts. The embedded Trojan, identified as Android.Backdoor.Baohuo.1.origin, grants attackers unrestricted access to the messenger, enabling them not only to steal messages, logins, passwords, and chat histories but also to silently connect to the victim’s account, alter the list of authorized devices, and conceal traces of their activity.
With this capability, threat actors can also manage channel subscriptions, join chats, and manipulate other Telegram functions on behalf of the victim. These features make Baohuo a powerful tool for both channel promotion and targeted cyberattacks.
The infection campaign began in mid-2024, with more than 58,000 compromised devices recorded to date. Distribution occurs through fraudulent websites designed to mimic legitimate app directories, where the Trojan masquerades as Telegram X. Visitors are enticed to install what appears to be a messenger for video chats and dating, reinforced by fake reviews and screenshots that lend an air of authenticity.
These sites primarily target users in Brazil and Indonesia, featuring simplified translations in just those two languages. However, the infection has spread across a wide range of devices—from smartphones to automotive systems running Android.
In addition to phishing pages, the malicious version of Telegram X was also discovered in third-party app stores, including APKPure, ApkSum, and AndroidP. On APKPure, the Trojan was even published under the real developer’s name, though the digital signature differed. Researchers have since notified the affected platforms about the compromised builds.
Three principal variants of the modification were identified: one with code embedded directly in the main executable, another loaded via LSPatch, and a third involving a separate DEX file stored within the app’s resources. Regardless of the variant, the Trojan activates when the messenger launches, leaving its interface visually indistinguishable from the genuine Telegram X. The malicious code can override messenger methods or inject new functionalities through Xposed, allowing it to forge phishing dialogs, hide chats and devices, and intercept clipboard contents.
Particular attention was drawn to its unconventional command-and-control system. In addition to a standard C2 server, Android.Backdoor.Baohuo.1.origin receives instructions via a Redis database—the first documented instance of such a mechanism in an Android-based threat. Through Redis, the attackers transmit configurations, commands, and data about infected devices, while maintaining a fallback C2 channel in case the database becomes inaccessible.
The Trojan possesses a broad array of capabilities: sending contacts and SMS messages, exfiltrating chat histories, retrieving device lists and authorization tokens, subscribing to channels, disabling chat notifications, spoofing interface elements, downloading updates, and even turning the infected device into a proxy server.
A particularly severe risk lies in its clipboard interception feature, as it can capture passwords, cryptocurrency wallet recovery phrases, and other sensitive information.
Ultimately, this case underscores the critical danger of installing popular applications from unofficial sources. Malicious code disguised under familiar interfaces can lead to a complete loss of control over personal data and accounts. Users are strongly advised to download software only from official stores and to regularly review app permissions to minimize the risk of compromise.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
