Firescam Android Malware Steals Data by Disguising as Telegram App

Author

Reads 677

A Person Holding a Smartphone
Credit: pexels.com, A Person Holding a Smartphone

Firescam Android malware has been discovered to steal sensitive data by disguising itself as the popular messaging app Telegram.

The malware uses a fake Telegram icon and name to trick users into downloading and installing it, thinking it's the real Telegram app.

This is a clever tactic, but one that's ultimately very dangerous.

What Is Firescam?

FireScam is a type of Android malware that disguises itself as a legitimate app to trick users into installing it.

This malware is spread through phishing websites, specifically one hosted on the GitHub.io domain that mimics the RuStore app store.

The website delivers a dropper that installs the FireScam malware, posing as the Telegram Premium application.

FireScam steals sensitive information and exfiltrates data to Firebase C2 endpoints, temporarily storing it in a Firebase Realtime Database.

The malware requests extensive permissions, including app management, storage access, and updating or deleting apps without user consent.

It also implements obfuscation techniques, dynamic receiver access control, and sandbox detection mechanisms to avoid detection.

Credit: youtube.com, FireScam - A New Persistent Android Malware

FireScam gathers sensitive device data, intercepts USSD responses, tracks user actions, monitors notifications, and targets e-commerce and app interactions.

The malware uses dynamic broadcast receivers with custom permissions, allowing only apps signed by attackers to access sensitive events or data.

FireScam is disguised as a fake Telegram Premium app to trick users into installing it, where it then steals sensitive information and exfiltrates data to remote servers.

How It Works

FireScam Android malware is a sophisticated threat that targets Android devices by disguising itself as a "premium" version of the Telegram app. It's distributed through a fake app store link hosted on GitHub.io.

The malware is designed to steal personal information and gain ongoing control over the affected device. It's a fake app store link that mimics the RuStore app store, a legitimate app marketplace in Russia created by the tech company VK.

To spread the malware, users are encouraged to download a file called GetAppsRu.apk, which serves as the main dropper for the malware. This file is hosted on the phishing site rustore-apk.github[.]io.

Credit: youtube.com, New Android Malware Ajina.Banker: How It Steals 2FA Codes!

FireScam employs classic phishing techniques to lure victims into downloading the fake Telegram app. It sends links to download "Telegram" from unofficial websites, often via email, SMS, or other communication platforms.

Once installed, the malware collects sensitive information like login credentials, text messages, and even payment details. It then connects to a remote server controlled by attackers, enabling them to execute commands, extract data, and further compromise the device.

The malware requests extensive permissions, such as app management, storage access, and updating or deleting apps without user consent. These permissions include:

  • ENFORCE_UPDATE_OWNERSHIP permission, which allows an app to control its updates and block others
  • Unrestricted background activity (exemption from battery optimization)
  • Access notifications on the compromised device

The malware uses dynamic broadcast receivers with custom permissions, allowing only apps signed by attackers to access sensitive events or data. It also implements obfuscation techniques, dynamic receiver access control, and sandbox detection mechanisms to avoid detection.

FireScam gathers sensitive device data, intercepts USSD responses, tracks user actions, monitors notifications, and targets e-commerce and app interactions. The malware exfiltrates data to remote servers, highlighting its potential impact on user privacy and security.

Why So Dangerous?

Credit: youtube.com, How you can protect your phone from Android malware scams | CNA Explains

FireScam is a sneaky malware that disguises itself as the real Telegram app, making it nearly impossible to spot the difference. This is a major red flag, as many users won't realize they're using a counterfeit version until it's too late.

Its ability to spread through phishing links allows it to reach a vast number of users, putting countless people at risk of having their accounts or devices compromised. FireScam's primary danger lies in its ability to look and behave like the real Telegram app, making it a ticking time bomb for unsuspecting users.

Unknown Attackers

The identity of the attackers behind FireScam remains a mystery. It's unclear who is behind this malicious malware.

The tactics used to trick users into downloading FireScam are also unknown, making it difficult to stay safe online.

It's possible that methods like SMS phishing or misleading ads are used to lure victims in.

Final Thoughts

FireScam's success in collecting data and monitoring devices shows how effective phishing-based distribution can be in infecting smartphones.

Phishing attacks are a major concern, and we need to stay alert to keep our data safe.

Double-checking app sources is crucial to avoid installing malware.

Avoiding unknown websites is another important step in protecting ourselves from this evolving malware threat.

Attack and Impact

Credit: youtube.com, Security Brief: AI-write malware, Telegram policy change, Kansas water, Android malware 11M devices

The firescam Android malware is a sneaky one, disguising itself as the Telegram app to trick users into installing it. It then asks for permissions to access contacts, call logs, and SMS messages.

This malware is particularly cunning as it shows a login page for the actual Telegram website in a WebView, tricking users into entering their account details. Regardless of whether the user logs in, data collection begins.

The malware starts stealing credentials as soon as it's launched, making it a serious threat to users' sensitive information.

Technical Details

FireScam malware declares itself as the "update owner" on Android devices, giving it control over future updates and allowing it to block legitimate updates from other sources.

This means that once FireScam is installed, it can prevent users from updating their apps or installing new ones, effectively taking control of the device.

FireScam requests access to write to external storage and to install, update, or remove apps, which it uses to maintain its presence on the device.

The malware uses Firebase Cloud Messaging (FCM) to receive remote commands, allowing attackers to send orders to the infected device.

It also sets up a WebSocket connection with its command-and-control (C2) server, enabling it to manage data theft and other malicious actions.

Curious to learn more? Check out: How to Auto Update Apps in Android

Obfuscation and Surveillance Tactics

Credit: youtube.com, What Is Obfuscation In Cyber Security? - SecurityFirstCorp.com

FireScam uses various techniques to hide its true intentions and evade detection. It tracks incoming notifications, screen states, clipboard items, e-commerce transactions, and user behavior. This allows the malware to gather sensitive information without arousing suspicion.

The malware can also download and handle image data from specific URLs. This is a clever way for the attackers to receive updates or instructions without being detected.

FireScam's surveillance tactics are designed to be stealthy and continuous. It can monitor user behavior and send the information back to its command-and-control server.

List of IOCs

IOCs are essential indicators that help identify potential issues in a system. They can be categorized into different types, including performance, security, and configuration-related IOCs.

Performance IOCs can be related to high CPU usage, memory leaks, or slow query execution times. These can be identified through monitoring tools such as Prometheus and Grafana.

Security IOCs often involve suspicious login attempts, unauthorized access, or potential malware activity. Monitoring system logs and network traffic can help detect these types of IOCs.

Take a look at this: Azure Data Security

Credit: youtube.com, ThreatSTOP's New & Improved Check IOC - The best free cybersecurity tool available

Configuration-related IOCs may include incorrect configuration settings, outdated software, or missing security patches. Regular system audits and vulnerability scans can help identify these types of IOCs.

In practice, identifying IOCs requires a combination of monitoring tools, system logs, and regular audits. By staying vigilant and proactive, you can quickly respond to potential issues before they become major problems.

Melba Kovacek

Writer

Melba Kovacek is a seasoned writer with a passion for shedding light on the complexities of modern technology. Her writing career spans a diverse range of topics, with a focus on exploring the intricacies of cloud services and their impact on users. With a keen eye for detail and a knack for simplifying complex concepts, Melba has established herself as a trusted voice in the tech journalism community.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.