
Firescam Android malware has been discovered to steal sensitive data by disguising itself as the popular messaging app Telegram.
The malware uses a fake Telegram icon and name to trick users into downloading and installing it, thinking it's the real Telegram app.
This is a clever tactic, but one that's ultimately very dangerous.
What Is Firescam?
FireScam is a type of Android malware that disguises itself as a legitimate app to trick users into installing it.
This malware is spread through phishing websites, specifically one hosted on the GitHub.io domain that mimics the RuStore app store.
The website delivers a dropper that installs the FireScam malware, posing as the Telegram Premium application.
FireScam steals sensitive information and exfiltrates data to Firebase C2 endpoints, temporarily storing it in a Firebase Realtime Database.
The malware requests extensive permissions, including app management, storage access, and updating or deleting apps without user consent.
It also implements obfuscation techniques, dynamic receiver access control, and sandbox detection mechanisms to avoid detection.
FireScam gathers sensitive device data, intercepts USSD responses, tracks user actions, monitors notifications, and targets e-commerce and app interactions.
The malware uses dynamic broadcast receivers with custom permissions, allowing only apps signed by attackers to access sensitive events or data.
FireScam is disguised as a fake Telegram Premium app to trick users into installing it, where it then steals sensitive information and exfiltrates data to remote servers.
How It Works
FireScam Android malware is a sophisticated threat that targets Android devices by disguising itself as a "premium" version of the Telegram app. It's distributed through a fake app store link hosted on GitHub.io.
The malware is designed to steal personal information and gain ongoing control over the affected device. It's a fake app store link that mimics the RuStore app store, a legitimate app marketplace in Russia created by the tech company VK.
To spread the malware, users are encouraged to download a file called GetAppsRu.apk, which serves as the main dropper for the malware. This file is hosted on the phishing site rustore-apk.github[.]io.
Broaden your view: How to Download Apps without App Store Iphone
FireScam employs classic phishing techniques to lure victims into downloading the fake Telegram app. It sends links to download "Telegram" from unofficial websites, often via email, SMS, or other communication platforms.
Once installed, the malware collects sensitive information like login credentials, text messages, and even payment details. It then connects to a remote server controlled by attackers, enabling them to execute commands, extract data, and further compromise the device.
The malware requests extensive permissions, such as app management, storage access, and updating or deleting apps without user consent. These permissions include:
- ENFORCE_UPDATE_OWNERSHIP permission, which allows an app to control its updates and block others
- Unrestricted background activity (exemption from battery optimization)
- Access notifications on the compromised device
The malware uses dynamic broadcast receivers with custom permissions, allowing only apps signed by attackers to access sensitive events or data. It also implements obfuscation techniques, dynamic receiver access control, and sandbox detection mechanisms to avoid detection.
FireScam gathers sensitive device data, intercepts USSD responses, tracks user actions, monitors notifications, and targets e-commerce and app interactions. The malware exfiltrates data to remote servers, highlighting its potential impact on user privacy and security.
Why So Dangerous?
FireScam is a sneaky malware that disguises itself as the real Telegram app, making it nearly impossible to spot the difference. This is a major red flag, as many users won't realize they're using a counterfeit version until it's too late.
Its ability to spread through phishing links allows it to reach a vast number of users, putting countless people at risk of having their accounts or devices compromised. FireScam's primary danger lies in its ability to look and behave like the real Telegram app, making it a ticking time bomb for unsuspecting users.
Unknown Attackers
The identity of the attackers behind FireScam remains a mystery. It's unclear who is behind this malicious malware.
The tactics used to trick users into downloading FireScam are also unknown, making it difficult to stay safe online.
It's possible that methods like SMS phishing or misleading ads are used to lure victims in.
Final Thoughts
FireScam's success in collecting data and monitoring devices shows how effective phishing-based distribution can be in infecting smartphones.
Phishing attacks are a major concern, and we need to stay alert to keep our data safe.
Double-checking app sources is crucial to avoid installing malware.
Avoiding unknown websites is another important step in protecting ourselves from this evolving malware threat.
Attack and Impact
The firescam Android malware is a sneaky one, disguising itself as the Telegram app to trick users into installing it. It then asks for permissions to access contacts, call logs, and SMS messages.
This malware is particularly cunning as it shows a login page for the actual Telegram website in a WebView, tricking users into entering their account details. Regardless of whether the user logs in, data collection begins.
The malware starts stealing credentials as soon as it's launched, making it a serious threat to users' sensitive information.
Technical Details
FireScam malware declares itself as the "update owner" on Android devices, giving it control over future updates and allowing it to block legitimate updates from other sources.
This means that once FireScam is installed, it can prevent users from updating their apps or installing new ones, effectively taking control of the device.
FireScam requests access to write to external storage and to install, update, or remove apps, which it uses to maintain its presence on the device.
The malware uses Firebase Cloud Messaging (FCM) to receive remote commands, allowing attackers to send orders to the infected device.
It also sets up a WebSocket connection with its command-and-control (C2) server, enabling it to manage data theft and other malicious actions.
Curious to learn more? Check out: How to Auto Update Apps in Android
Obfuscation and Surveillance Tactics
FireScam uses various techniques to hide its true intentions and evade detection. It tracks incoming notifications, screen states, clipboard items, e-commerce transactions, and user behavior. This allows the malware to gather sensitive information without arousing suspicion.
The malware can also download and handle image data from specific URLs. This is a clever way for the attackers to receive updates or instructions without being detected.
FireScam's surveillance tactics are designed to be stealthy and continuous. It can monitor user behavior and send the information back to its command-and-control server.
Suggestion: How to Update Apps on Iphone without App Store
List of IOCs
IOCs are essential indicators that help identify potential issues in a system. They can be categorized into different types, including performance, security, and configuration-related IOCs.
Performance IOCs can be related to high CPU usage, memory leaks, or slow query execution times. These can be identified through monitoring tools such as Prometheus and Grafana.
Security IOCs often involve suspicious login attempts, unauthorized access, or potential malware activity. Monitoring system logs and network traffic can help detect these types of IOCs.
Take a look at this: Azure Data Security
Configuration-related IOCs may include incorrect configuration settings, outdated software, or missing security patches. Regular system audits and vulnerability scans can help identify these types of IOCs.
In practice, identifying IOCs requires a combination of monitoring tools, system logs, and regular audits. By staying vigilant and proactive, you can quickly respond to potential issues before they become major problems.
Featured Images: pexels.com


