A new Android malware, known as FireScam, has emerged, deceiving users into thinking they are downloading a Telegram Premium application. However, instead of the messaging app, FireScam is actually a malicious software that has spyware capabilities, designed to monitor victims’ notifications, text messages, and app activities, while also stealing sensitive information through Firebase services.
Researchers at Cyfirma discovered this new infostealer, distributed through a phishing website hosted on GitHub.io, which imitates RuStore, a popular Russian Federation app store. The phishing site delivers a dropper named ru[.]store[.]installer, which installs as GetAppsRu[.]apk and prompts users to install Telegram Premium.
Unfortunately, once installed, FireScam requests various permissions that enable it to query and list all installed applications on the device, access and modify external storage, and install and delete other apps. One concerning permission designates the individual who installed FireScam as the app’s “update owner,” preventing legitimate updates from other sources and allowing the malware to persist on the victim’s device.
The malicious software can intercept and steal a range of sensitive information, including notifications, messages, app data, clipboard contents, and USSD responses. This stolen data is then exfiltrated to a Firebase database, providing attackers with remote access to the captured details without the user’s knowledge. The stolen data is temporarily stored in the Firebase Realtime Database, filtered for valuable information, and eventually removed.
Interestingly, FireScam utilizes legitimate services like Firebase for data exfiltration and command-and-control communications, a tactic increasingly used by malware to evade detection and disguise malicious traffic and payloads. By registering a service to receive Firebase Cloud Messaging notifications, FireScam can trigger the messaging service whenever it receives a Firebase push notification.
Additionally, the malware can receive remote commands from a C2 server through the Firebase Cloud Messaging service, execute specific actions, and silently deliver additional malicious payloads that can be downloaded and installed remotely. The app also has the capability to exfiltrate sensitive data from the device to a remote server without the user’s awareness, maintaining continuous communication with the server even when the app is not actively in use.
Overall, FireScam’s sophisticated communication methods make it challenging for security tools to detect, as it can tailor its behavior to specific environments and bypass security controls. As cybersecurity threats continue to evolve, it is crucial for users to remain vigilant and take proactive measures to protect their digital devices and personal information.