Security researchers from Dr.Web report a new Android backdoor, dubbed Baohuo (Android.Backdoor.Baohuo.1.origin), that piggybacks on tampered builds of Telegram X. The trojan preserves full messenger functionality while gaining elevated privileges to exfiltrate credentials and chats, conceal active sessions, and silently act on the user’s behalf. Telemetry indicates more than 58,000 infected devices and roughly 20,000 active backdoor connections at the time of observation.
What Baohuo Is: Android Backdoor Hidden in Modified Telegram X
Baohuo integrates deeply with Telegram X to weaponize normal features without arousing suspicion. It can add or remove the victim from channels, join or leave chats, and mask these actions inside the interface so they appear routine. A particularly dangerous capability is hiding third‑party device logins in Telegram’s Active Sessions list, making account compromise harder to detect.
Capabilities: Stealth, Data Interception, and Account Control
The backdoor uses two core techniques to subvert Telegram X behavior. First, it injects “mirrors” of the app’s methods to render phishing-like dialog windows that are visually indistinguishable from native Telegram X prompts. Second, it employs the Xposed framework for runtime method hooking to hide chats, suppress visibility of authorized devices, and intercept clipboard content.
Clipboard interception and real-world risk
Clipboard monitoring enables high-impact theft. When users return to the messenger, Baohuo can harvest passwords, one-time codes, crypto wallet seed phrases, or sensitive text fragments copied moments earlier. Clipboard abuse is a well-documented vector in mobile attacks, and both platform guidance and vendor best practices warn against granting unnecessary overlay or accessibility privileges that can facilitate such interception (see Google’s Android security guidance and Telegram’s two-step verification documentation).
Distribution: Malvertising and Third‑Party APK Catalogs
The campaign, active since mid‑2024, relies heavily on malvertising inside mobile apps. Ads redirect to sites styled as app stores, promoting Telegram X as a dating and social platform. Operators currently push localized lures for Portuguese (Brazil) and Indonesian audiences, with potential for broader expansion.
Beyond phishing sites, Baohuo has been identified in third‑party APK marketplaces including APKPure, ApkSum, and AndroidP. Notably, on APKPure the trojan was distributed under the name of the official developer, although the digital signatures did not match the legitimate build—a critical red flag. According to researchers, marketplace operators have been notified.
Command and Control: Redis as an Unusual C2 Channel
Early Baohuo variants used a traditional command-and-control (C2) server. Recent builds add a secondary C2 channel via Redis, which is uncommon on Android. The backdoor initially contacts a staging C2 to retrieve configuration that includes Redis connection parameters, current C2 addresses, and an NPS server used to create an internal network and convert infected devices into Internet proxies.
Commands, configuration updates, and traffic routing can flow via either channel. Redis is leveraged in a publish/subscribe model: Baohuo subscribes to a specific subchannel where operators post tasks. This dual-path design adds resilience—if Redis is unreachable, instructions fall back to the standard C2.
Scope and Impact: Users and Organizations
Infections span roughly 3,000 device models, from phones and tablets to Android TV boxes and in-vehicle infotainment systems. Such diversity complicates detection by device profiling or signature alone.
Baohuo enables account takeover with covert on‑platform activity, theft of chat history, and extraction of clipboard secrets. Likely monetization includes artificially inflating channel subscribers and financially motivated theft via stolen crypto and credentials. For organizations, risks extend to reputation damage, leakage of sensitive communications, and social engineering conducted from compromised executive or corporate accounts.
Mitigation: Practical Steps to Reduce Risk
Install apps from trusted sources only. Avoid sideloading APKs from ads or “fast install” landing pages. Prefer the official Google Play store and verified publishers.
Verify developer identity and signatures. Even on well-known catalog sites, mismatch between the listed developer and the app’s signing certificate warrants abandoning installation.
Limit high-risk permissions. Be cautious with clipboard access, overlay permissions, and accessibility services, which are commonly abused for credential and OTP capture.
Harden your Telegram account. Enable two-step verification (2FA), regularly review Active Sessions, terminate unknown sessions, and rotate passwords and passcodes at the first sign of suspicion.
Keep OS and defenses up to date. Use Google Play Protect or enterprise MDM, reputable mobile security tools, and monitor network traffic for anomalies. Enterprises should enforce MDM policies, watch for indicators of compromise, isolate suspected devices, and perform a clean reimage with validated backups when necessary.
Baohuo illustrates the evolution of Android malware: deep app integration, UI stealth, and a resilient Redis-backed C2 architecture. Given the campaign’s breadth and device diversity, disciplined app hygiene, rigorous session monitoring, and mandatory 2FA are essential. Organizations should pair user awareness with technical controls and incident response playbooks to minimize dwell time and reduce the blast radius of account takeovers.
