Q4 2025 Malware Trends: Telegram Backdoor, Banking Trojans Surge, Joker Returns to Google Play

A modified version of Telegram X has been used to infect tens of thousands of Android devices with a sophisticated backdoor, according to the latest Q4 2025 mobile malware report by Doctor Web.

The malware, labeled Android.Backdoor.Baohuo.1.origin, was hidden inside unofficial builds of the popular messaging app and distributed through third-party app catalogs and suspicious websites.

Once installed, the malware grants attackers the ability to control the victim’s Telegram account, effectively allowing them to act as if they were the user themselves. That includes joining or leaving channels, hiding new logins from account history, and even hiding specific messages. The goal appears to be long-term control without alerting the user.

Doctor Web reported that around 58,000 devices had been infected, affecting roughly 3,000 different models. However, the infection wasn’t limited to smartphones; Android-powered tablets, smart TVs, TV box sets, and even in-car systems were also affected. This wide reach shows how attackers are targeting any Android system that can install APKs outside the Play Store.

****Other Android Malware Activity You Should Know About****

Doctor Web’s report also noted a spike in banking trojans, particularly those in the Android.Banker family. These threats increased by over 65%, targeting users with fake banking interfaces and intercepting SMS codes. Meanwhile, adware like MobiDash and HiddenAds declined, but modules like AdPush still topped detection charts.

Additionally, the notorious Joker malware and FakeApp trojan showed up again on Google Play, reaching more than 263,000 installs before being taken down. These apps subscribed users to paid services or pushed them toward scam websites.

****Telegram and Malware Apps****

The fact that this malware was embedded into a widely used messaging app is not surprising, since it has happened several times in the past. Telegram’s popularity, especially in regions where alternative app stores are more commonly used, makes it a prime target for tampered versions. Users often look for modified builds promising added features or fewer restrictions, which opens the door to these kinds of threats.

If you’re using unofficial versions of Telegram or other apps from third-party stores, delete them immediately and change the passwords for your email, social media accounts, crypto wallets, and the PIN codes for your banking and card apps.

A horizontal bar chart comparing the most common Android malware detected in Q3 and Q4 of 2025, based on data from Dr.Web Security Space for mobile devices. Each malware variant is listed on the vertical axis, while the detection rate, expressed as a percentage, is shown on the horizontal axis.

Doctor Web’s full review of Q4 2025, including technical details and indicators of compromise, is available here.

(Photo by Mika Baumeister on Unsplash)