A new Android malware named “FireScam” is distributed as a premium version of the Telegram app via phishing websites on GitHub that imitate RuStore, the Russian mobile device app marketplace.
RuStore was launched in May 2022 by Russian Internet Group VK (VKontakte) as an alternative to Google Play and Apple’s App Store, following Western sanctions that impacted Russian users’ access to mobile software.
It hosts applications that comply with Russian regulations and was created with the support of the Russian Ministry of Digital Development.
According to researchers at threat management firm Cyfirma, the malicious GitHub page mimicking RuStore first delivers a dropper module called GetAppsRu.apk.
The dropper APK is obfuscated using DexGuard to evade detection and acquires permissions that allow it to identify installed apps, give it access to device storage, and install additional packages.
Then, it extracts and installs the main malware payload, “Telegram Premium.apk”, which asks for permissions to monitor notifications, clipboard data, SMS messages, and phone services, among others.
Source: CYFIRMA
FireScam Capabilities
At runtime, a deceptive WebView screen displaying a Telegram login page steals user credentials for the messaging service.
FireScam establishes communication with a Firebase Realtime database where it downloads the stolen data in real time and logs the compromised device with unique identifiers, for tracking purposes.
Cyfirma reports that stolen data is only stored in the database temporarily and then deleted, likely after malicious actors filter it for valuable information and copy it to another location.
The malware also opens a persistent WebSocket connection with the Firebase C2 endpoint for executing real-time commands, such as requesting specific data, triggering immediate uploads to the Firebase database, downloading and executing additional payloads or adjust monitoring settings.
FireScam can also monitor changes in screen activity, capture on/off events, and record the active application at that time as well as activity data for events lasting more than 1,000 milliseconds.
The malware also meticulously monitors all e-commerce transactions, attempting to capture sensitive financial data.
Everything the user types, drags and drops, copies to the clipboard and even intercepts automatically populated data from password managers or cross-app exchanges, categorized and exfiltrated to malicious actors.
Source: CYFIRMA
Although Cyfirma has no indication of FireScam’s operators, researchers say the malware is a “sophisticated, multifaceted threat” that “utilizes advanced evasion techniques.”
The company recommends users to exercise caution when opening files from potentially untrustworthy sources or clicking on unknown links.
