Baohuo Android Malware Hijacks Telegram Accounts via Fake Telegram X

A new Android threat is spreading fast through fake versions of Telegram X, giving attackers complete control over users’ accounts. Security researchers at Doctor Web have named it Android.Backdoor.Baohuo.1.origin, describing it as one of the most advanced Android backdoors seen this year.

It starts out looking like a normal Telegram X app, a real Android app developed by Telegram, offering a faster and more experimental version of the main Telegram client. The app is available on the Google Play Store.

Original Telegram X App and Fake Version – The fake app is misusing the name Telegram FZ-LLC.

In the Baohuo malware scam, victims usually come across the fake Telegram X app through online ads that claim to offer an improved or dating-focused version of the messenger. After installation, the app appears to work normally, but in the background, it connects to remote servers and takes control of the user’s Telegram account.

Baohuo can hide unauthorised logins and erase traces of any new or deleted chats or channels. This lets attackers join, leave, or change channels without the user noticing. In effect, they gain full access to messages, contacts, and sessions, and can manage chats as if they owned the account.

****How Baohuo Works and Its Global Impact: 58,000 Devices Infected****

Baohuo uses the Xposed framework to alter app behaviour at runtime. That lets it hide chats, devices, and notifications, or display fake update popups that send users to malicious pages. It also creates “mirrors”, copies of legitimate Telegram methods, to mimic normal app actions while carrying out its own malicious tasks.

One of the malicious sites used in the scam to spread Baohuo Android malware (Image via Dr Web)

In their blog post, Doctor Web analysts say the operation began in mid-2024 and has already affected more than 58,000 Android devices, including smartphones, tablets, TV boxes, and even car systems. Most of the infections are found in India, Brazil and Indonesia, where users are targeted with localised ad templates written in Portuguese and Indonesian.

1. India – 22.8%
2. Brazil – 20.5%
3. Indonesia – 9.6%
4. Egypt – 5.5%
5. Algeria – 4.0%
6. Colombia – 3.1%
7. Bangladesh – 2.2%
8. Russia – 2.3%
9. Iraq – 1.7%
10. Pakistan – 1.7%
11. Philippines – 1.7%

****A New Way of Command and Control****

The way Baohuo is controlled is another major concern. Earlier Android malware usually communicated through standard command-and-control (C2) servers. Baohuo, on the other hand, takes commands directly from a Redis database, making it the first known Android malware to use Redis for control.

This allows attackers to issue commands easily and continue operating if their main C2 server goes offline. These commands include uploading SMS messages, contacts, fetching encryption keys, pushing ads, downloading updates, or collecting detailed information about the infected device.

Worse, Baohuo can copy clipboard data. Anything copied on the phone, such as passwords or cryptocurrency wallet recovery phrases, can be intercepted and sent straight to the attacker’s server. The malware also checks in every few minutes, sending details about the user’s activity, such as whether the screen is on and what permissions the app has.

****Found in Popular Third-Party App Stores****

According to researchers, the malware has also been found in popular third-party app stores such as APKPure, ApkSum, and AndroidP. In some cases, it was listed as being uploaded by Telegram’s actual developer, even though the digital signatures didn’t match. Doctor Web says it has alerted these platforms to remove the trojanized files.

The company says its mobile antivirus products detect and remove all known versions of Baohuo, but the spread of modified Telegram apps on unofficial platforms remains a major issue. Users are advised to download Telegram only from the official Google Play Store or Telegram’s official website and to avoid installing APKs from links in ads or unverified catalogues.