Cybersecurity: Android Malware Threat Analysis

A newly identified backdoor, Android.Backdoor.Baohuo.1.origin, has been discovered in altered versions of the Telegram X messenger. This malware allows attackers to gain full control over users’ accounts without detection.

Infiltration and Distribution

The malware infiltrates devices using deceptive in-app advertisements and is distributed through third-party app stores, posing as legitimate dating and communication platforms.

As of mid-2024, the backdoor has infected over 58,000 devices, including various smartphone models, tablets, TV boxes, and Android-based vehicle systems. The primary targets are users in Brazil and Indonesia, utilizing language-specific templates.

Malware Functionality

The malware is distributed via fraudulent websites that offer trojanized APK files, which appear indistinguishable from legitimate Telegram X installations. It has also been found in established third-party app repositories under misleading developer names.

Once installed, the malware can steal confidential information such as login credentials, passwords, and chat histories. It conceals its presence by disguising unauthorized device connections and can autonomously manipulate user accounts to inflate Telegram channel subscribers artificially.

Technical Specifications

The backdoor’s unique use of the Redis database for command-and-control operations marks a significant advancement in Android malware. It connects to a C2 server to receive configuration parameters and Redis credentials, allowing remote command execution.

Advanced Control and Data Exfiltration

The malware employs various techniques to manipulate the messenger’s functionality without user awareness. It uses pre-prepared mirrors of messenger methods to display phishing messages that replicate authentic Telegram X interfaces.

For deeper app integration, the malware utilizes the Xposed framework, enabling it to hide specific chats and intercept clipboard contents. It receives commands through Redis channels and C2 servers, enabling it to upload SMS messages, contacts, and clipboard contents.

This capability facilitates sophisticated data theft scenarios, including the exposure of sensitive information such as cryptocurrency wallet passwords and confidential communications.

The backdoor collects device information, installed application data, message histories, and authentication tokens, transmitting this data to attackers every three minutes while maintaining the appearance of normal operation.