First Ever: Android Baohuo Backdoor Hides in Telegram X Clone, Uses Redis Database for C2 Commands
Ddos 
Cybersecurity experts at Doctor Web have identified a highly sophisticated Android backdoor hiding in maliciously modified versions of the Telegram X messenger.
Dubbed Android.Backdoor.Baohuo.1.origin, this malware enables threat actors to steal credentials, chat histories, clipboard data, and even take full control of user accounts on the popular messaging platform.
According to Doctor Web, “with this backdoor’s assistance, malicious actors gain full control over the victim’s account and the messenger functionality, while the trojan itself is a tool for boosting the number of subscribers in Telegram channels.”
The campaign, which began circulating in mid-2024, uses in-app advertising to lure users into downloading trojanized APKs from malicious websites mimicking app stores. These pages feature fake reviews, video chat banners, and multilingual support, all designed to trick users into believing they are installing a legitimate or enhanced Telegram X version.
“Potential victims are shown ads that encourage them to install the Telegram X messenger,” Doctor Web notes. “When clicking on such banners, users are redirected to malicious websites from which the trojan APK file is downloaded.”
One of the report’s most alarming findings is the unique command-and-control architecture of Baohuo. While previous Android backdoors typically relied solely on C2 servers, Doctor Web’s researchers discovered that this one also uses a Redis database for remote command execution — a first in Android malware history.
This Redis-based mechanism allows attackers to send commands, modify configurations, and update payloads directly through database channels, while retaining traditional C2 fallback.
“When launched, Android.Backdoor.Baohuo.1.origin connects to the initial C2 server to download a configuration that, among other parameters, contains data to connect to Redis,” the report explains. “This is the first known case of using Redis to control Android malware.”
Doctor Web identified three main modification types of the infected Telegram X apps:
- Versions embedding the backdoor directly into the main DEX executable.
- Versions where the payload is injected dynamically via LSPatch.
- Versions storing the malicious code in a separate DEX file within the app’s resources.
Regardless of the variant, the backdoor initializes immediately after launch while keeping the messenger fully functional, ensuring that victims notice nothing suspicious. “In reality, however, malicious actors have complete control over it through the backdoor and can even alter the logic of its operation.”
The attackers use “mirrors” of legitimate Telegram functions to inject phishing content that appears indistinguishable from genuine app dialogs. For deeper manipulation, they employ the Xposed framework, which “can be used to hide certain chats and authorized devices as well as to steal the clipboard contents.”
Doctor Web’s telemetry indicates that over 58,000 devices — spanning 3,000 different Android models, including smartphones, tablets, TV boxes, and even in-vehicle systems — have been infected worldwide. The primary victims are located in Brazil and Indonesia, where localized ad templates were used.
The backdoor can conceal its presence by hiding compromised devices from Telegram’s list of active sessions and by joining or leaving chats and channels without visible traces. It can also remove the Telegram Premium icon, manipulate subscriptions, and terminate sessions remotely — all at the attackers’ command.
Perhaps most dangerously, it monitors and uploads clipboard contents every time users minimize or reopen the app. This feature allows hackers to capture crypto wallet seeds, passwords, or business documents. As the researchers warn, “the trojan will intercept this information from the clipboard and send it to the malicious actors.”
The malicious Telegram X clones were also found on third-party app catalogs such as APKPure, ApkSum, and AndroidP, sometimes even uploaded under the official developer’s name.
Doctor Web confirmed, “In the APKPure app store, the malware is posted on behalf of the official messenger developer, despite the fact that the digital signatures of the original version and the trojan modification are different.”
Although these listings have since been reported and removed, the scale of infection suggests that many users continue to install compromised versions from external sources or via ads.
Donate