A new Android infostealer malware called FireScam has been discovered masquerading as a fake Telegram Premium app, distributed via a phishing site hosted on GitHub.io. The phishing site impersonates RuStore, a popular app store widely used in Russia, according to cybersecurity firm Cyfirma.
The FireScam malware exfiltrates sensitive data from infected Android devices, including notifications, messages, and app data, to a Firebase Realtime Database endpoint. FireScam has been described by researchers as as a “sophisticated and multifaceted threat” with extensive surveillance capabilities.
The malicious app follows a multi-stage infection process, starting with the download of a dropper APK named ‘GetAppsRu.apk’, from the phishing site rustore-apk.github[.]io. The dropper APK delivers the main malware payload, which is responsible for exfiltrating user data.
The dropper app requests multiple permissions, including the ability to write to external storage and manage app installations on Android 8 and later devices.
FireScam uses the ENFORCE_UPDATE_OWNERSHIP permission, which allows the initial installer of an app to declare itself the 'update owner,' blocking updates from other sources unless user approval is granted. This technique ensures the malware's persistence by preventing legitimate updates from overriding the malicious app.
FireScam employs obfuscation and anti-analysis techniques to evade detection while performing extensive monitoring activities. It tracks incoming notifications, screen state changes, clipboard content, e-commerce transactions, and other user activities. Additionally, it can download and process image data from specified URLs.
Upon launching, the fake Telegram Premium app requests access to sensitive data such as contact lists, call logs, and SMS messages. It then displays a login page resembling the legitimate Telegram website using a WebView interface to steal user credentials. Notably, the malware begins its data collection activities regardless of whether the victim logs in or not.
To maintain covert access and facilitate remote commands, FireScam registers a service to receive Firebase Cloud Messaging (FCM) notifications. Simultaneously, it establishes a WebSocket connection with its command-and-control (C2) server, enabling real-time data exfiltration and follow-up actions.
Cyfirma found another malicious artifact hosted on the same phishing domain, named CDEK, likely referencing the Russia-based package and delivery tracking service. However, the researchers were unable to analyze the artifact.
The operators behind FireScam remain unidentified, and the methods used to direct users to the phishing site, whether through SMS phishing, malvertising, or other tactics, are not yet clear.