HomeCyber BalkansNew FireScam Android Malware Utilizing Firebase Services To Avoid Detection

New FireScam Android Malware Utilizing Firebase Services To Avoid Detection

Published on

spot_img

FireScam, a malicious multi-stage malware posing as a fake “Telegram Premium” app, has been identified as a significant threat to Android users. This insidious malware steals sensitive data from compromised devices and maintains persistence through advanced obfuscation techniques and remote communication capabilities.

Initially distributed via a phishing website mimicking RuStore, FireScam exfiltrates user data such as notifications, messages, and clipboard content to the Firebase Realtime Database. This stolen data is stored temporarily in the database before potential filtering and transfer to a private location, potentially exposing sensitive information to threat actors and malware users.

An analysis of the Firebase Realtime Database revealed potential Telegram IDs of threat actors and malware users, highlighting the underground network of malicious activities facilitated by this malware. The database also exposed the URL of a phishing site hosting dropper malware, further emphasizing the sophisticated nature of this cyber threat.

FireScam deploys a malicious dropper named GetAppsRu.apk, which is protected by DexGuard and capable of querying installed apps and accessing external storage. This dropper installs or updates other apps without user consent and delivers FireScam disguised as Telegram Premium.apk on devices running Android 8 to 15. The core package of FireScam, ru.get.app, is obfuscated using NP Manager, making it difficult for security researchers to reverse engineer the malware.

Moreover, FireScam employs advanced techniques such as empty class inheritance and process name verification to potentially evade sandbox detection. It can also identify virtualized environments by fingerprinting device details, allowing it to optimize its attack and overcome security measures.

By utilizing Firebase Cloud Messaging (FCM), FireScam can receive remote commands and exfiltrate data while maintaining persistent communication with a remote server. This capability enables the malware to bypass security measures and exploit dynamic broadcast receivers with custom permissions to create a backdoor for communication.

The FireScam malware leverages the Firebase Realtime Database to exfiltrate sensitive device information, including device name, app name, notification text, and timestamps. By accessing contacts, messages, and other sensitive data, FireScam poses a grave threat to user privacy and security.

According to Cyfirma, FireScam exfiltrates sensitive data from compromised devices to a Firebase C2 server using TLS-encrypted GET requests. These requests, combined with WebSocket upgrade, enable real-time bidirectional communication to facilitate data exfiltration and command-and-control operations.

In conclusion, FireScam is a sophisticated Android malware disguised as Telegram Premium that poses a significant threat to user privacy and security. By exploiting trust through phishing websites and advanced obfuscation techniques, FireScam aims to steal sensitive data and maintain persistence on compromised devices. Users are advised to exercise caution while downloading apps from unknown sources and to regularly update their devices to mitigate the risk of falling victim to malicious threats like FireScam.

Source link

Latest articles

Users of Trump’s Truth Social are falling victim to widespread scams on the internet

The social media platform Truth Social, launched by the Trump Media & Technology Group...

Hacking group exposes information on 15k vulnerable FortiGate firewall devices

A recent development in the ongoing cybersecurity saga involving vulnerable Fortinet FortiGate firewall devices...

Biotech company resolves class action lawsuit stemming from ransomware attack with $7.5 million settlement

Enzo Biochem, a prominent biotech company, recently made headlines after agreeing to settle a...

Aadhaar-based biometric verification required for new SIM cards to combat fraud and cybercrime – StartupNews.fyi

The Indian government has announced a new measure to combat fraudulent activities associated with...

More like this

Users of Trump’s Truth Social are falling victim to widespread scams on the internet

The social media platform Truth Social, launched by the Trump Media & Technology Group...

Hacking group exposes information on 15k vulnerable FortiGate firewall devices

A recent development in the ongoing cybersecurity saga involving vulnerable Fortinet FortiGate firewall devices...

Biotech company resolves class action lawsuit stemming from ransomware attack with $7.5 million settlement

Enzo Biochem, a prominent biotech company, recently made headlines after agreeing to settle a...