The latest Android malware called 'FireScam' is being shared as a premium variant of the Telegram application through phishing sites on GitHub that impersonate the RuStore, a Russian app market for mobile devices.
About FireScam vulnerability
Russian internet group VK (VKontakte) launched RuStore in May 2022 as an alternative to Apple's App and Google Play Store, after Western sanctions affected Russian users' mobile software. RuStore hosts apps that are compatible with Russian regulations, it was built with the assistance of the Russian Ministry of Digital Development.
Experts from threat management company Cyfirma believe the infected GitHub page impersonating RuStore first sends a dropper module named GetAppsRu.apk.
The dropper APK is covered using DexGuard to avoid getting caught and gets permissions that allow it to pinpoint installed applications, giving it access to the device’s storage and further install packages.
Once this is done, it retrieves and deploys the main malware payload “Telegram Premium.apk” which asks for permissions to track notifications, see clipboard data, telephony services, SMS, and a lot of other things.
What is FireScam capability?
Once executed, a deceptive WebView screen shows a Telegram login page stealing the user’s login credentials. FireScam communicates with the Firebase Realtime Database, uploads stolen data in real time, and notes the infected devices with individual identifiers to track.
According to Cyfirma, stolen data is temporarily kept in the database and wiped when the hackers filter it for needed information and copy it to another location.
The malware launches a persistent WebSocket connection with the Firebase C2 endpoint for real-time command execution- asking for specific data, downloading and installing additional payloads, prompting immediate uploads to the Firebase database, or tweaking the surveillance parameters.
Firescam also tracks changes in screen activity, monitors on/off events, logs the running applications, and monitors activity data for events exceeding 1,000 milliseconds
Additionally, Firescam carefully monitors e-commerce payments to steal sensitive financial data. It can capture what you type, copy to clipboards, drag and drop, and hack data filled automatically from password managers.
How to be safe?
Cyfirma offers no hints about FireScam's operators, but the researchers describe the malware as a "sophisticated and multifaceted threat" that "employs advanced evasion techniques." It suggests customers exercise caution when opening files from potentially malicious sources or clicking on unknown URLs.
