An Android infostealer malware called FireScam, disguised as a fake Telegram Premium app, has been discovered being distributed via a GitHub.io phishing site that impersonates RuStore, a popular app store used in Russia.
Cyfirma researchers explained December 30, FireScam malware seeks to exfiltrate sensitive information Android data, including notifications, messages, and other application data, to a Firebase real-time database endpoint.
FireScam malware monitors Android device activities such as screen state changes, e-commerce transactions, clipboard activity, and user engagement to secretly gather valuable information.
“By capitalizing on the widespread use of popular applications [like Telegram] and legitimate services like Firebase, FireScam illustrates the advanced tactics used by modern malware to evade detection, execute data theft, and maintain persistent control over compromised devices,” the Cyfirma researchers wrote.
FireScam’s extensive monitoring and persistence on Androids regarding
T. Frank Downs, senior director of proactive services at BlueVoyant, noted that Telegram is one of the most used messaging apps globally, notably in Russia, where it has overtaken WhatsApp in terms of traffic volume as of 2023.
Downs said there are several unique aspects that make FireScam particularly harmful, starting with its persistence and broad surveillance capabilities. Downs said the malware’s ability to designate itself as the primary app updater prevents other installers from modifying it, ensuring a persistent presence on the device. Additionally, its ability to intercept, obfuscate and manipulate unstructured supplementary services data (USSD) is notable, Downs said, because USSD can sometimes involve sensitive data such as authentication codes.
“Generally speaking, any Android user who is not vigilant about security is exposed to this malware,” Downs said. “However, given that it is distributed via a phishing website imitating the RuStore app store, it appears that Russian Android users are the main targets. That said, it is difficult to determine for what purpose Russians may be targeted due to the considerable level of exploitation this malware enables.
Eric Schwake, director of cybersecurity strategy at Salt Security, said the FireScam malware campaign reveals a worrying development in the mobile threat landscape: malware targeting Android devices is becoming more sophisticated.
“While using phishing websites to distribute malware is not a new tactic, FireScam’s specific methods, such as impersonating the Telegram Premium app and using the store of RuStore applications, illustrate the evolution of attackers’ techniques to deceive and compromise unsuspecting users,” Schwake said. “This situation highlights the critical need to secure APIs, which often serve as the foundation for mobile applications. Although this specific malware does not directly exploit APIs, it highlights the risk of attackers using compromised devices to access sensitive data and systems via mobile app APIs.
Stephen Kowski, CTO of SlashNext Email Security, explained that the sophistication of FireScam malware lies in its ability to maintain persistence through intelligent manipulation of permissions and its use of Firebase Cloud Messaging for command and control: techniques which highlight the need for advanced mobile threat detection that can identify malicious behavior beyond simple signature matching.
“Real-time analysis of mobile applications and continuous monitoring are crucial safeguards, as these attacks often bypass traditional security measures by exploiting user trust and legitimate distribution channels,” Kowski said. “The key to protecting against such threats is implementing security solutions that can detect suspicious permission requests and unauthorized application behavior before sensitive data is compromised. »
Matt Bromiley, chief solutions engineer at LimaCharlie, said that any time an app can offer a premium service for free, it’s likely to attract more attention and receive more downloads. Bromiley said we often see similar campaigns using other messaging apps, hoping to trick users into downloading the malicious/hacked version.
“This type of campaign is effective because it seeks out victims searching for popular apps,” Bromiley said. “Messaging apps like Telegram are used by millions of people. The target pool is therefore very large and can lead to a significant number of downloads and installations. Additionally, very few users actually read/inspect the list of permissions requested by an app: they simply click “Accept” or “Yes” and ignore the warnings. This is another reason why malware can successfully request such broad and powerful permissions.
