Wednesday, January 8, 2025
Latest:
The Register 

FireScam infostealer poses as Telegram Premium app to surveil Android devices

TH Author

Android malware dubbed FireScam tricks people into thinking they are downloading a Telegram Premium application that stealthily monitors victims’ notifications, text messages, and app activity, while stealing sensitive information via Firebase services.

Cyfirma researchers spotted the new infostealer with spyware capabilities and said the malware is distributed through a GitHub.io-hosted phishing website that mimics RuStore, a popular Russian Federation app store.

The phishing site delivers a dropper named ru[.]store[.]installer and it installs as GetAppsRu[.]apk. When launched, it prompts users to install Telegram Premium.

Of course, this isn’t really the messaging app but rather the FireScam malware, and it targets devices running Android 8 through 15.

Once installed, it requests a series of permissions that allow it to query and list all installed applications on the device, access and modify external storage, and install and delete other apps.

Plus, one of the permissions designates the miscreant who installed FireScam as the app’s “update owner,” thus preventing legitimate updates from other sources and enabling the malware to maintain persistence on the victim’s device.

Attackers can use the infostealer/surveillance malware to intercept and steal sensitive device and personal information, including notifications, messages, other app data, clipboard content, and USSD responses, which may include account balances, mobile transactions, or network-related data.

“These logs are then exfiltrated to a Firebase database, granting attackers remote access to the captured details without the user’s knowledge,” Cyfirma’s researchers noted.

Stolen data is temporarily stored in the Firebase Realtime Database, filtered for valuable information, and then later removed.

This use of legitimate services – specifically Firebase, in this case, for data exfiltration and command-and-control (C2) communications – also helps the malware evade detection and is a tactic increasingly used to disguise malicious traffic and payloads.

FireScam registers a service to receive Firebase Cloud Messaging (FCM) notifications. Whenever the app receives a Firebase push notification, this triggers the messaging service.

This can be used to receive remote commands from the C2 server and execute specific actions, and silently deliver additional malicious payloads that can be downloaded and installed remotely.

“The app can also exfiltrate sensitive data from the device to a remote server without the user’s awareness, maintaining continuous communication with the remote server even when the app is not actively in the foreground,” the researchers warned.

This communication also makes it more difficult for security tools to detect. Plus, the malware profiles the device, which allows it to tailor its behavior to specific environments and further bypass security controls. ®

READ MORE HERE