A newly discovered Android information-stealing malware, FireScam, has been found impersonating a premium version of the Telegram messaging app. This malware is designed to steal sensitive data and establish persistent remote control over infected devices.
According to cybersecurity firm Cyfirma, FireScam is a "sophisticated and multifaceted threat" that spreads through a GitHub.io-hosted phishing site, specifically crafted to impersonate RuStore, a popular app marketplace in Russia.
Multi-Stage Infection Process
The FireScam malware operates through a complex infection process, starting with a dropper APK, which enables extensive surveillance once installed.
The phishing website, rustore-apk.github[.]io, mimics the legitimate RuStore platform, deceiving users into downloading a dropper APK file named "GetAppsRu.apk". Once executed, this dropper deploys the primary malware payload, which is responsible for:
Exfiltrating notifications, messages, and other sensitive app data
Uploading stolen data to a Firebase Realtime Database endpoint
Requesting dangerous permissions to control the infected device
Exploiting Android Permissions for Persistence
FireScam aggressively requests multiple permissions, including the ability to install, update, and delete applications on devices running Android 8 and later. Notably, it abuses the ENFORCE_UPDATE_OWNERSHIP permission, allowing it to declare itself the update owner of the infected app.
This permission ensures that any attempt to update the app requires user approval, effectively preventing victims from installing legitimate security updates and ensuring the malware’s long-term persistence on the device.
Advanced Evasion and Data Exfiltration Tactics
FireScam employs various obfuscation and anti-analysis techniques to avoid detection. Additionally, it monitors:
Incoming notifications and screen state changes
E-commerce transactions and clipboard content
User activity across different applications
Another notable capability includes downloading and processing image data from a predefined URL, possibly for advanced surveillance or additional payload execution.
Credential Theft Through Fake Telegram Login
When victims launch the fake Telegram Premium app, they are prompted to grant permissions to access their contacts, call logs, and SMS messages. Following this, a fraudulent login page for the legitimate Telegram website is displayed within a WebView, tricking users into entering their credentials.
Regardless of whether the victim logs in or not, the malware initiates its data collection process.
Covert Communication with Command-and-Control (C2) Server
FireScam registers a Firebase Cloud Messaging (FCM) service, enabling it to receive remote commands for executing malicious actions. It also establishes a WebSocket connection with its command-and-control (C2) server, facilitating real-time data exfiltration and follow-up attacks.
Additional Threats Hosted on the Phishing Domain
Cyfirma’s analysis revealed that the phishing domain also hosted another malicious artifact named CDEK, likely referencing a Russia-based package and delivery tracking service. However, researchers were unable to retrieve the artifact during their investigation.
FireScam’s Distribution Strategy: Social Engineering at Its Finest
It remains unclear how users are directed to these phishing sites, but SMS phishing (smishing) and malvertising campaigns are suspected methods. By mimicking legitimate platforms such as RuStore, these malicious websites exploit user trust to trick individuals into downloading and installing fraudulent applications.
FireScam’s ability to execute data exfiltration, persistent surveillance, and real-time remote control highlights the increasing effectiveness of phishing-based malware distribution methods.
Protect Yourself Against FireScam Malware
Avoid downloading apps from unverified sources, especially those promoted via unknown links.
Regularly update your device’s security settings and review app permissions.
Use reputable mobile security solutions to detect and block suspicious applications.
Be cautious of phishing attempts and verify the legitimacy of any app store before downloading applications.
Stay informed and protect your devices from emerging cyber threats!