Important Warning: A Critical Vulnerability Discovered in “Telegram Messenger” App

Lebanon Today

“android.Backdoor.Baohuo.1.origin,” a sophisticated backdoor, has been discovered within malicious, modified versions of the “Telegram X” application. This backdoor grants attackers complete control over victims’ accounts stealthily.

This Trojan infiltrates through misleading advertisements within applications and third-party stores, disguised as “legitimate” dating and communication platforms.

Dr.Web’s analysis revealed that more than 58,000 devices have been infected since mid-2024.

The infections were distributed across approximately 3,000 models, including smartphones, tablets, TV boxes, and vehicle systems running on Android.

The attack initially targeted users in Brazil and Indonesia using templates in Portuguese and Indonesian.

Victims encounter advertisements redirecting them to fake application catalogs featuring fabricated promotional reviews promising “free video calls” and dating opportunities, offering Trojan-laden APK files appearing identical to legitimate “Telegram X” installations.

The backdoor also leaked into external repositories such as “APKPure,” “ApkSum,” and “AndroidP,” where it was misleadingly published under the official application developer’s name despite differing digital signatures.

Analysts were able to detect the backdoor’s ability to steal login credentials, passwords, and entire chat histories.

It also hides compromised device connections from the “Telegram” active sessions lists, adds/removes users from channels or joins chats on behalf of victims, and turns accounts into tools for artificially inflating subscriber counts.

“Android.Backdoor.Baohuo.1.origin” features the use of a Redis database for command and control (C2) operations – the first known documentation of this method within Android malware.

After connecting to the traditional C2 server, the Trojan retrieves configuration parameters, including Redis credentials for issuing commands and updating settings remotely, while maintaining C2 server redundancy.

The backdoor manipulates messaging functions in various ways without drawing attention.

For operations that do not affect the core of the application, it uses pre-configured “replicas” of messaging methods to display phishing messages within windows that mimic original “Telegram X” interfaces.

For deeper tasks, it leverages the Xposed framework to dynamically modify methods, enabling the hiding of authorized conversations and devices, and intercepting clipboard contents.

Through Redis channels and C2 servers, the Trojan receives commands including uploading SMS messages, contacts, and clipboard content whenever the user minimizes or restores the messaging window.

Clipboard monitoring provides sophisticated theft scenarios for cryptocurrency wallet passwords or mnemonic phrases and sensitive communications.

The malware systematically collects device information, installed applications, message logs, and authentication tokens, transmitting them to attackers every three minutes while maintaining the appearance of normal application operation.