A newly uncovered Android backdoor disguised as Telegram X messenger is silently hijacking thousands of devices across continents, transmitting private data every three minutes while posing as a legitimate chat app. Researchers say it represents one of the most sophisticated evolutions in mobile spyware to date.
A Trojan Masquerading as a Messenger
A stealthy cyber-operation has been discovered lurking within counterfeit versions of Telegram X, the lightweight alternative to the popular encrypted messenger. Identified as Android.Backdoor.Baohuo.1.origin, the malware grants attackers near-total control of infected devices — from message interception to real-time surveillance — all while maintaining the appearance of normal app functionality.
According to analysts at Russian cybersecurity firm Dr.Web, the malware spread through deceptive third-party app stores such as APKPure, ApkSum, and AndroidP, where it was uploaded under Telegram’s name with convincing visuals and metadata but mismatched digital signatures.
Once installed, the backdoor begins a continuous cycle of data extraction: cataloguing device information, installed applications, authentication tokens, and message histories. Every three minutes, this stream of intelligence is quietly relayed to remote servers — even as victims continue chatting, unaware that their screens have become windows for unseen operators.
Redis, Not Routine: A First in Android Malware
What sets this campaign apart from conventional Android threats is its architecture. Instead of relying solely on command-and-control (C2) servers, Baohuo integrates Redis, an open-source database system rarely used in mobile malware.
By embedding Redis for command reception, the attackers achieved both redundancy and flexibility — a breakthrough that allows the malware to operate even when traditional C2 servers are blocked or taken offline. It is the first documented instance of Redis database integration in Android control mechanisms, signaling an alarming leap in malware engineering.
Upon initialization, the trojan connects to Redis-based infrastructure to fetch configuration parameters, issue commands, and update settings remotely. This innovation enables continuous adaptation: even if cybersecurity teams dismantle one control point, another can emerge seamlessly elsewhere.
The First Firm to Assess Your DFIR Capability Maturity and Provide DFIR as a Service (DFIRaaS)
Manipulating Messengers from the Inside Out
Technically, Baohuo’s design demonstrates a deep understanding of Android’s internal architecture. It uses pre-prepared “mirror” code blocks — replicas of legitimate messenger methods — to manipulate the app without disrupting its surface operations.
This sleight of hand lets the malware display phishing messages, intercept clipboard data, and conceal hidden chats or authorized devices through the Xposed framework, a tool that allows developers (and in this case, attackers) to dynamically modify app behavior at runtime.
Through Redis channels and secondary servers, Baohuo can upload SMS messages, contact lists, and copied text snippets whenever users minimize or reopen the messenger. The implications stretch beyond privacy: intercepted clipboard contents have reportedly exposed cryptocurrency wallet phrases, corporate credentials, and confidential business communications.
A Global Campaign Targeting Brazil and Indonesia
Researchers trace Baohuo’s distribution surge to mid-2024, when its operators began targeting users in Brazil and Indonesia through localized ad templates in Portuguese and Indonesian.
More than 58,000 infections have been identified across 3,000 Android models — including smartphones, tablets, TV boxes, and even Android-based automotive systems — revealing the campaign’s extraordinary reach. Victims often encounter malicious banners promising “free video chats” or “dating opportunities,” which redirect them to counterfeit app catalogs populated with fake reviews and inflated ratings.
Once installed, the fake Telegram X operates identically to the real app, even connecting to authentic Telegram servers for basic functions. Meanwhile, its concealed processes join chats, add users to channels, and inflate subscriber counts — effectively transforming compromised devices into instruments for covert influence operations.
