Hackers turn Telegram messenger into malware vector

According to reports, the malware is sent into devices through deceptive in-app advertisements and third-party app stores that masquerade as legitimate dating and communication platforms. This threat represents a significant escalation in mobile malware distribution, with it spreading across 58,000 infected devices.

In addition, it has also spread across more than 3,000 smartphones, tablets, TV boxes, and some Android-based vehicle systems.

Hackers weaponize Telegram with malware to gain access

The report claims that the backdoor distribution started in 2024, with the hacker primarily targeting Brazilian and Indonesian users through Portuguese and Indonesian language templates. The victims come across advertisements within the mobile application, which redirect them to fake app catalogs featuring fake reviews and promotional banners advertising free video chats and dating opportunities. These fake websites deliver apps infused with malware that look the same as the legitimate ones.

Aside from the malicious websites, the backdoor has also infiltrated established third-party repositories, including APKPure, ApkSum, and AndroidP, where it is deceptively posted under the official messenger developer’s name despite having a different digital signature.

Analysts identified the malware as having an exceptional capability to steal confidential information, which includes login credentials, passwords, and complete chat histories. The backdoor also hides compromised account indicators by hiding third-party device connections from active Telegram session lists.

In addition, it is capable of removing or adding its victims to channels and chats without their approval, disguising these actions entirely, and transforming compromised accounts into tools for artificially inflating Telegram channel subscribers.

What sets it apart from conventional Android threats is its use of the Redis database for command-and-control operations. The earlier versions of the malware relied on traditional C2 servers, but the developers have integrated Redis-based commands.

Malware manipulates functionalities without detection

The report claims that the backdoor uses multiple techniques to manipulate messenger functionalities without being detected. For operations that won’t interfere with core app features, the hackers use already prepared mirrors of messenger methods, which are separate code blocks responsible for specific tasks within the Android program architecture.

This mirror allows the app to display phishing messages within windows that perfectly replicate the original Telegram X interfaces.

For other operations that require deeper integration, the malware uses the Xposed framework to modify the app methods, allowing abilities like hiding specific chats, concealing authorized devices, and intercepting clipboard contents. The backdoor malware uses the Redis channels and C2 servers to receive extensive commands, including uploading SMS, contacts, and clipboard contents whenever a user minimizes or restores the messenger window.

The clipboard monitoring is used by hackers to steal data, such as crypto wallet passwords, mnemonic phrases, or confidential business communications that were unknowingly exposed. The backdoor collects device information, installed application data, message histories, and authentication tokens, and transmits the information to the hackers every three minutes while maintaining the appearance of a normal Telegram messenger operation.