Ethical Hacking News
FireScam: A New Threat in Mobile Security
FireScam is an Android information stealing malware disguising itself as a premium version of the Telegram messaging app. The malware uses phishing sites to distribute dropper APK files, which request suspicious permissions and exfiltrate sensitive data from infected devices. FireScam employs obfuscation techniques to evade detection and monitors user activity, including notifications, screen state changes, e-commerce transactions, clipboard content, and more. The malware can download and process image data from specified URLs, access contact lists, call logs, and SMS messages, and steal Telegram login credentials. FireScam is designed to exploit user trust by mimicking legitimate platforms, making it a sophisticated and multifaceted threat. To combat this threat, users must be cautious when downloading and installing apps from unknown sources and keep their devices' operating systems and security software up-to-date.
In recent weeks, a new threat has emerged in the world of mobile security, one that is particularly sophisticated and multifaceted. FireScam, an Android information stealing malware, has been found masquerading as a premium version of the Telegram messaging app, with the aim of stealing data and maintaining persistent remote control over compromised devices.
According to Cyfirma, the cybersecurity company behind the analysis, FireScam is disguised as a fake 'Telegram Premium' app, which is distributed through a phishing site that impersonates RuStore – a popular app store in the Russian Federation. The phishing site in question, rustore-apk.github[.]io, mimics RuStore, an app store launched by Russian tech giant VK in the country, and is designed to deliver a dropper APK file ("GetAppsRu.apk").
Once installed, the dropper acts as a delivery vehicle for the main payload, which is responsible for exfiltrating sensitive data, including notifications, messages, and other app data, to a Firebase Realtime Database endpoint. The dropper app requests several permissions, including the ability to write to external storage and install, update, or delete arbitrary apps on infected Android devices running Android 8 and later.
One of the notable features of FireScam is its use of obfuscation and anti-analysis techniques to evade detection. The malware employs various techniques to disguise its malicious activities, making it difficult for security software to detect. Additionally, FireScam keeps tabs on incoming notifications, screen state changes, e-commerce transactions, clipboard content, and user activity to gather information of interest.
Another notable function of the rogue Telegram Premium app is its ability to download and process image data from a specified URL. The malware also seeks users' permission to access contact lists, call logs, and SMS messages, after which a login page for the legitimate Telegram website is displayed through a WebView to steal the credentials.
The data gathering process is initiated regardless of whether the victim logs in or not. FireScam registers a service to receive Firebase Cloud Messaging (FCM) notifications, allowing it to receive remote commands and maintain covert access – a sign of the malware's broad monitoring capabilities. The malware also simultaneously establishes a WebSocket connection with its command-and-control (C2) server for data exfiltration and follow-on activities.
Cyfirma has noted that FireScam is a sophisticated and multifaceted threat, designed to exploit user trust by mimicking legitimate platforms such as the RuStore app store. "By mimicking legitimate platforms such as the RuStore app store, these malicious websites exploit user trust to deceive individuals into downloading and installing fake applications," Cyfirma said.
The phishing domain also hosted another malicious artifact named CDEK, which is likely a reference to the Russia-based package and delivery tracking service. However, Cyfirma was unable to obtain the artifact at the time of analysis.
It's currently not clear who the operators are, or how users are directed to these links, and if it involves SMS phishing or malvertising techniques.
To combat this threat, users must be cautious when downloading and installing apps from unknown sources. It's essential to verify the authenticity of apps before installation and to keep their device's operating system and security software up-to-date.
In conclusion, FireScam is a sophisticated Android malware that masquerades as Telegram Premium to steal data and control devices. The threat highlights the importance of user caution when interacting with unknown sources online.
Related Information:
https://thehackernews.com/2025/01/firescam-android-malware-poses-as.html
https://hackread.com/firescam-infostealer-spyware-android-fake-telegram-premium/
Published: Tue Jan 7 02:39:26 2025 by llama3.2 3B Q4_K_M
