Ethical Hacking News
New FireScam Android data-theft malware poses as Telegram Premium app, targeting Android device users with sophisticated surveillance capabilities.
FireScam is a new Android malware masquerading as Telegram's premium version. The malware is distributed through phishing websites on GitHub that mimic RuStore, Russia's mobile device marketplace. The dropper module requests access to installed apps, device storage, and additional packages upon execution. FireScam extracts a main payload that installs and accesses sensitive user data, including notifications and clipboard content. The malware uploads stolen data in real-time to a Firebase Realtime Database for tracking purposes. FireScam maintains an open WebSocket connection with the Firebase C2 endpoint for real-time command execution. The malware monitors changes in screen activity, e-commerce transactions, and user input, making it a sophisticated threat.
In a disturbing development, security researchers have identified a new Android malware known as "FireScam" that has been masquerading as the premium version of the popular messaging app, Telegram. The malicious software has been distributed through phishing websites on GitHub that mimic the RuStore, Russia's alternative mobile device marketplace launched in May 2022. This move highlights the growing threat landscape for Android users and serves as a stark reminder to exercise extreme caution when navigating the internet.
According to Cyfirma, a reputable threat management company, the malicious GitHub page mimics RuStore and delivers a dropper module called GetAppsRu.apk upon execution. The dropper APK is obfuscated using DexGuard, making it challenging for security software to detect. Once installed, the malware acquires permissions that allow it to identify installed apps, access device storage, and install additional packages. This behavior sets the stage for further malicious activities.
Following this initial payload, FireScam extracts and installs its main malware payload, 'Telegram Premium.apk'. This APK requests access to sensitive user data such as notifications, clipboard data, SMS, and telephony services. By doing so, it lays the groundwork for a sophisticated surveillance mechanism that can intercept various aspects of a user's life.
Upon execution, FireScam establishes communication with a Firebase Realtime Database where it uploads stolen data in real-time. It registers the compromised device with unique identifiers, presumably for tracking purposes. This move underscores the threat actors' intent to collect personal data and exploit it to their advantage.
Furthermore, FireScam maintains an open WebSocket connection with the Firebase C2 endpoint for real-time command execution. This enables the malware to execute specific commands, trigger immediate uploads to the database, download and execute additional payloads, or adjust surveillance parameters as needed.
The malware's capabilities extend beyond basic data exfiltration; it also monitors changes in screen activity, capturing on/off events and logging active apps at any given time. Additionally, FireScam meticulously monitors e-commerce transactions, attempting to capture sensitive financial data. It even intercepts user input such as typed characters, dragged items, clipboard content, and password manager exchanges, categorizing this information for targeted exfiltration.
Cyfirma classifies FireScam as a "sophisticated and multifaceted threat" that employs advanced evasion techniques to evade detection. The company emphasizes the need for users to exercise extreme caution when opening files from untrusted sources or clicking on unfamiliar links.
In conclusion, FireScam presents a significant security threat to Android device users. Its sophisticated tactics make it a formidable adversary in the world of cyber threats. As users navigate the ever-evolving landscape of online risks, awareness and vigilance are crucial defenses against such malicious software.
Related Information:
https://www.bleepingcomputer.com/news/security/new-firescam-android-data-theft-malware-poses-as-telegram-premium-app/
Published: Sat Jan 4 22:13:08 2025 by llama3.2 3B Q4_K_M
