Ethical Hacking News
A new Android malware called 'FireScam' is being distributed as a premium version of the Telegram app via phishing websites on GitHub, mimicking the RuStore, Russia's app market for mobile devices. The FireScam malware can steal sensitive data such as user credentials and financial information, making it essential for Android users to be vigilant against phishing attacks.
FireScam is a new Android malware being distributed via phishing websites on GitHub that mimics the RuStore app. The malware steals sensitive data, including login credentials, and stores it temporarily in a Firebase Realtime Database before wiping it. It can also monitor screen activity, capture financial transaction data, and intercept clipboard data. FireScam employs advanced evasion techniques to evade detection and acquires permissions for malicious activities.
In a recent discovery, threat management company Cyfirma has uncovered a new Android malware named "FireScam" that is being distributed as a premium version of the Telegram app via phishing websites on GitHub. The malicious distribution mimics the RuStore, Russia's app market for mobile devices, which was launched in May 2022 by the Russian internet group VK (VKontakte). The malware poses as a legitimate RuStore app to steal sensitive data from unsuspecting Android users.
According to Cyfirma researchers, the FireScam malware first delivers a dropper module called GetAppsRu.apk. This dropper APK is obfuscated using DexGuard to evade detection and acquires permissions that allow it to identify installed apps, access the device's storage, and install additional packages. The next step is to extract and install the main malware payload, 'Telegram Premium.apk', which requests permissions to monitor notifications, clipboard data, SMS, and telephony services, among others.
Upon execution, a deceptive WebView screen showing a Telegram login page steals the user's credentials for the messaging service. FireScam establishes communication with a Firebase Realtime Database where it uploads stolen data in real-time and registers the compromised device with unique identifiers, for tracking purposes. The malware also opens a persistent WebSocket connection with the Firebase C2 endpoint for real-time command execution.
Cyfirma reports that stolen data is only stored in the database temporarily and then wiped, presumably after the threat actors filtered it for valuable information and copied it to a different location. The FireScam malware can also monitor changes in screen activity, capturing on/off events and logging the active app at the time as well as activity data for events lasting for more than 1,000 milliseconds.
Furthermore, the malware meticulously monitors any e-commerce transactions, attempting to capture sensitive financial data. Anything the user types, drags and drops, copies to clipboard, and intercepts even data automatically filled from password managers or exchanges between apps, categorized, and exfiltrated to the threat actors. FireScam employs advanced evasion techniques, according to Cyfirma researchers.
Although the company does not have any hints pointing to FireScam's operators, it is clear that the malware is a sophisticated and multifaceted threat. The cybersecurity community is advised to exercise caution when opening files from potentially untrusted sources or clicking on unfamiliar links. With this new discovery, it becomes increasingly evident that Android users must be vigilant against phishing attacks, especially those masquerading as legitimate apps like RuStore.
In light of the FireScam malware's existence, several questions arise regarding the motivations behind its creation and the implications for Android users worldwide. It is essential to emphasize the importance of verifying app sources before installation and keeping software up-to-date to minimize exposure to such threats.
The emergence of sophisticated malware like FireScam highlights the ongoing struggle between cyber threat actors and cybersecurity professionals in safeguarding mobile devices from phishing attacks. As new vulnerabilities are discovered, security measures must be adapted to prevent similar incidents from occurring.
Related Information:
https://www.bleepingcomputer.com/news/security/new-firescam-android-malware-poses-as-rustore-app-to-steal-data/
https://www.cyfirma.com/research/inside-firescam-an-information-stealer-with-spyware-capabilities/
https://mobileidworld.com/new-firescam-malware-targets-android-users-by-impersonating-telegram-app/
Published: Sat Jan 4 14:42:15 2025 by llama3.2 3B Q4_K_M
