‘FireScam’ Malware Targets Android Users with Fake Telegram Premium App

A new Android malware named ‘FireScam’ has surfaced, disguised as a premium version of the Telegram app. Distributed through phishing websites hosted on GitHub, the malware tricks users by mimicking the interface of RuStore, Russia’s official mobile app market. This development underscores the increasing sophistication of cyber threats leveraging trusted platforms and applications. 

RuStore, launched in May 2022 by Russian internet giant VK (VKontakte) with support from the Ministry of Digital Development, was designed as an alternative to Google Play and Apple’s App Store. It was created to ensure Russian users have access to mobile software amid Western sanctions. RuStore hosts applications that comply with Russian regulations, becoming an essential tool for domestic users. However, cybercriminals have exploited RuStore’s credibility to distribute malware under the guise of legitimate applications. 

According to cybersecurity researchers at Cyfirma, the malware is delivered via a GitHub-hosted phishing page mimicking RuStore. The page provides an initial payload named GetAppsRu.apk, a dropper module obfuscated with DexGuard to bypass detection mechanisms. Once installed, the dropper module gains permissions to:

• Identify installed apps.
• Access device storage.
• Install additional packages.

It then installs the main malware payload, Telegram Premium.apk, which requests extensive permissions to monitor notifications, clipboard data, SMS, and telephony services. 

  

Credential Theft and Real-Time Data Exfiltration 

 

Upon execution, FireScam displays a fake Telegram login page via a WebView screen, designed to steal Telegram credentials. The malware establishes communication with a Firebase Realtime Database, where stolen data is uploaded in real-time. Devices are registered using unique identifiers for tracking. Notably, Cyfirma reports that stolen data is temporarily stored in the Firebase database before being filtered and moved to a more secure location. FireScam also maintains a persistent WebSocket connection with a Firebase command-and-control (C2) endpoint. This enables attackers to:

• Execute real-time commands.
• Download and execute additional payloads.
• Adjust surveillance settings.
• Trigger immediate data uploads.

Advanced Surveillance Features 

 

FireScam actively monitors device activity, logging:

• Screen on/off events.
• Active app usage.
• Activities lasting over 1,000 milliseconds.

A particularly concerning feature is its focus on e-commerce transactions, where it attempts to intercept sensitive financial data. The malware captures everything users type, drag, drop, or copy, including autofilled details from password managers and app-to-app exchanges. 

  

While Cyfirma has yet to identify the operators behind FireScam, they describe it as a “sophisticated and multifaceted threat” that employs advanced evasion techniques. 

 

To mitigate the risk of infection, Cyfirma advises users to:

• Exercise caution when downloading apps, especially from untrusted sources.
• Avoid clicking on unfamiliar links.
• Ensure that app downloads come from official stores like Google Play or verified platforms.

The rise of malware like FireScam highlights the importance of vigilance in the digital era. Users must remain cautious, adopt secure online practices, and rely on trusted platforms to minimize the risk of falling victim to sophisticated cyber threats.