Hackers have weaponized Telegram X on Android, deploying the Android.Backdoor.Baohuo.1.origin malware that puts user devices at risk across Brazil and Indonesia since mid-2024. Originally inserted into versions of Telegram X, the backdoor lets attackers seize control over user accounts.
Malware Distribution and Targets
The malicious software, Baohuo, spreads through deceptive in-app ads and third-party store downloads. Users in Brazil and Indonesia receive Portuguese and Indonesian language-targeted versions. The affected devices, over 58,000 in number, include a wide range of Android smartphones, tablets, TV boxes, and vehicle systems spread across approximately 3,000 models.
Technical Mechanisms and Risks
Baohuo uses advanced tactics to remain hidden while enabling unauthorized access and data theft. It employs mirrored Telegram methods and the Xposed framework to disguise its activity. Through these, attackers can intercept clipboard data and manipulate app behavior, including inflating channel subscriber counts, while avoiding detection.
Command and Control Operations
Utilizing Redis channels for its command-and-control infrastructure alongside traditional servers, Baohuo coordinates its operations. Device information and user data, including authentication tokens and message histories, are extracted every three minutes, posing a significant threat to privacy and security.
