An Android malware called FireScam tricks people into thinking they are downloading a Telegram Premium application that clandestinely monitors victims' notifications, text messages, and app activity while stealing sensitive information via Firebase services.
Cyfirma researchers spotted the new infostealer with spyware capabilities. They said the malware is distributed through a GitHub.io-hosted phishing website miming RuStore, a popular Russian Federation app store.
The phishing site delivers a dropper named ru[.]store[.]installer, which is installed as GetAppsRu[.]apk. When launched, it prompts users to install Telegram Premium. Of course, this isn't really the messaging app but the FireScam malware, which targets Android 8 through 15 devices.
Once installed, FireScam requests a series of permissions that allow it to query and list all installed applications on the device, access and modify external storage, and install and delete other apps. One of the permissions designates the miscreant who installed FireScam as the app's "update owner," thus preventing legitimate updates from different sources and enabling the malware to maintain persistence on the victim's device.
Attackers can use the infostealer/surveillance malware to intercept and steal sensitive device and personal information, including notifications, messages, other app data, clipboard content, and USSD responses, which may include account balances, mobile transactions, or network-related data. "These logs are then exfiltrated to a Firebase database, granting attackers remote access to the captured details without the user's knowledge," Cyfirma's researchers noted.
Stolen data is temporarily stored in the Firebase Realtime Database, filtered for valuable information, and later removed. Using legitimate services, specifically Firebase, for data exfiltration and command-and-control (C2) communications also helps the malware evade detection and is a tactic increasingly used to disguise malicious traffic and payloads.
FireScam registers a service to receive Firebase Cloud Messaging (FCM) notifications. The messaging service is triggered whenever the app gets a Firebase push notification. This can be used to receive remote commands from the C2 server execute specific actions, and silently deliver additional malicious payloads that can be downloaded and installed remotely. "The app can also exfiltrate sensitive data from the device to a remote server without the user's awareness, maintaining continuous communication with the remote server even when the app is not actively in the foreground," the researchers warned.
This communication also makes it more difficult for security tools to detect. Plus, the malware profiles the device, allowing it to tailor its behavior to specific environments and bypass security controls.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Red Sky provides indicators of compromised information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments