Hackers are using a malicious version of Telegram X to deploy backdoor malware that steals sensitive data, including cryptocurrency wallet credentials, from over 58,000 infected Android devices. This threat spreads via fake ads and third-party stores, allowing undetected control over victim accounts.
-
Malware targets users through deceptive in-app ads mimicking dating apps, leading to downloads from fraudulent sites.
-
It infiltrates legitimate third-party app repositories like APKPure, disguised under official developer names.
-
The backdoor has compromised more than 3,000 devices, including smartphones, tablets, TV boxes, and Android vehicle systems, with capabilities to steal chats, passwords, and crypto phrases.
Discover how Telegram malware is stealing crypto wallet secrets from thousands of devices. Learn protection tips to safeguard your accounts and assets in this escalating cyber threat. Stay secure today.
What is the Telegram Malware Threat Targeting Crypto Users?
Telegram malware involves hackers distributing a backdoored version of the Telegram X app to gain unauthorized access to users’ devices and accounts. This sophisticated threat, which emerged in 2024, primarily affects Android users in regions like Brazil and Indonesia, enabling attackers to steal sensitive information such as cryptocurrency passwords and mnemonic phrases. Cybersecurity analysts report it has infected over 58,000 devices, marking a dangerous evolution in mobile threats.
How Does the Telegram Backdoor Malware Spread and Operate?
The Telegram backdoor malware spreads through cunning tactics designed to evade detection. Hackers deploy it via misleading in-app advertisements that promise free video chats or dating services, redirecting users to phony app catalogs filled with fabricated reviews. These sites host the infected Telegram X app, which mirrors the legitimate version but carries a malicious payload under a altered digital signature.
Beyond fake websites, the malware has seeped into reputable third-party Android repositories such as APKPure, ApkSum, and AndroidP. Posed as the official app from the Telegram developer, it tricks users into sideloading the compromised file. Once installed, the backdoor grants hackers full remote control, allowing them to extract login credentials, passwords, full chat histories, and even clipboard data—often containing crypto wallet details or private keys.
According to reports from cybersecurity researchers at firms like Kaspersky and ESET, this malware’s stealth is unmatched. It conceals signs of compromise by masking third-party device logins in the app’s session list and silently adds or removes users from channels to boost fake subscriber counts. Unlike typical Android trojans, it leverages a Redis database for command-and-control, shifting from traditional servers to more resilient operations that execute commands like uploading SMS, contacts, and device info every three minutes.
Experts note its advanced evasion techniques: for non-intrusive tasks, it uses pre-built code mirrors of Telegram’s methods to display phishing prompts in authentic-looking interfaces. For deeper manipulations, such as hiding chats or intercepting clipboard contents, it employs the Xposed framework to hook into the app’s core functions. This allows seamless theft of confidential business data or cryptocurrency secrets without alerting the user. “This backdoor represents a new frontier in messenger hijacking, particularly risky for crypto holders who share wallet info via chat,” said a senior analyst at a leading threat intelligence group.
The infection spans diverse hardware, impacting over 3,000 smartphones, tablets, TV boxes, and even Android-based infotainment systems in vehicles. Distribution began targeting Portuguese and Indonesian speakers, but its reach suggests potential global expansion. Data collection is relentless: every time the app is minimized or restored, it relays authentication tokens, installed apps, and message logs to attackers, all while the interface operates normally.
Frequently Asked Questions
What Are the Signs of Telegram Malware Infection on My Device?
If your Telegram app behaves unusually, such as unauthorized channel joins, hidden sessions, or unexpected data usage spikes, it could indicate malware. Check for unfamiliar devices in your active sessions and scan with reputable antivirus tools. Immediate action includes uninstalling suspicious apps and changing passwords to protect crypto assets.
How Can I Protect My Crypto Wallets from Telegram Backdoor Threats?
To shield your cryptocurrency holdings, avoid sideloading apps from third-party sources and stick to official stores like Google Play. Enable two-factor authentication on Telegram, use hardware wallets for storage, and never copy-paste sensitive phrases in chats. Regularly update your device and monitor clipboard activity for anomalies, ensuring secure communication practices.
Key Takeaways
- Stealthy Distribution: The malware hides in fake ads and third-party stores, infecting devices without user suspicion—always verify app sources.
- Data Theft Risks: It captures crypto passwords and chat histories, emphasizing the need for encrypted, non-messenger wallet management.
- Proactive Defense: Update apps promptly, use official downloads, and employ security software to detect and block backdoor attempts early.
Conclusion
The Telegram malware threat underscores the growing vulnerabilities in popular messaging apps, especially for cryptocurrency users handling sensitive wallet data. With infections surpassing 58,000 devices and advanced backdoor capabilities like Redis-based controls, staying vigilant is crucial. As cyber threats evolve, adopting robust security measures—such as official app sources and multi-factor protections—will help safeguard your digital assets. Prioritize these steps now to navigate the crypto landscape securely in the coming years.
