7 January 2025

FireScam malware masquerading as fake Telegram Premium app targets Android users


FireScam malware masquerading as fake Telegram Premium app targets Android users

A new Android infostealer malware called FireScam has been discovered masquerading as a fake Telegram Premium app, distributed via a phishing site hosted on GitHub.io. The phishing site impersonates RuStore, a popular app store widely used in Russia, according to cybersecurity firm Cyfirma.

The FireScam malware exfiltrates sensitive data from infected Android devices, including notifications, messages, and app data, to a Firebase Realtime Database endpoint. FireScam has been described by researchers as as a “sophisticated and multifaceted threat” with extensive surveillance capabilities.

The malicious app follows a multi-stage infection process, starting with the download of a dropper APK named ‘GetAppsRu.apk’, from the phishing site rustore-apk.github[.]io. The dropper APK delivers the main malware payload, which is responsible for exfiltrating user data.

The dropper app requests multiple permissions, including the ability to write to external storage and manage app installations on Android 8 and later devices.

FireScam uses the ENFORCE_UPDATE_OWNERSHIP permission, which allows the initial installer of an app to declare itself the 'update owner,' blocking updates from other sources unless user approval is granted. This technique ensures the malware's persistence by preventing legitimate updates from overriding the malicious app.

FireScam employs obfuscation and anti-analysis techniques to evade detection while performing extensive monitoring activities. It tracks incoming notifications, screen state changes, clipboard content, e-commerce transactions, and other user activities. Additionally, it can download and process image data from specified URLs.

Upon launching, the fake Telegram Premium app requests access to sensitive data such as contact lists, call logs, and SMS messages. It then displays a login page resembling the legitimate Telegram website using a WebView interface to steal user credentials. Notably, the malware begins its data collection activities regardless of whether the victim logs in or not.

To maintain covert access and facilitate remote commands, FireScam registers a service to receive Firebase Cloud Messaging (FCM) notifications. Simultaneously, it establishes a WebSocket connection with its command-and-control (C2) server, enabling real-time data exfiltration and follow-up actions.

Cyfirma found another malicious artifact hosted on the same phishing domain, named CDEK, likely referencing the Russia-based package and delivery tracking service. However, the researchers were unable to analyze the artifact.

The operators behind FireScam remain unidentified, and the methods used to direct users to the phishing site, whether through SMS phishing, malvertising, or other tactics, are not yet clear.


Back to the list

Latest Posts

Massive botnet abuses misconfigured DNS records to deliver malware

Massive botnet abuses misconfigured DNS records to deliver malware

The threat actor took advantage of SPF records with an overly permissive configuration option, which allows any server to send emails on behalf of a domain.
16 January 2025
Russia-linked hackers increasingly exploiting legitimate services in Ukraine to carry out cyberattacks

Russia-linked hackers increasingly exploiting legitimate services in Ukraine to carry out cyberattacks

Most of the cyberattacks targeting Ukraine over the past year were intended for espionage, financial theft, or to inflict psychological damage.
16 January 2025
Codefinger hackers target Amazon S3 buckets with encryption attacks

Codefinger hackers target Amazon S3 buckets with encryption attacks

The attacks rely on AWS's Server-Side Encryption with Customer-Provided Keys (SSE-C) feature.
15 January 2025