Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label FireScam. Show all posts
Telegram
Android Malware Fake Apps FireScam malware Social Media Telegram

Android Malware 'FireScam' Poses As Telegram Premium to Steal User Data

Android Malware 'FireScam' Poses As Telegram Premium to Steal User Data

The latest Android malware called 'FireScam' is being shared as a premium variant of the Telegram application through phishing sites on GitHub that impersonate the RuStore, a Russian app market for mobile devices.

About FireScam vulnerability

Russian internet group VK (VKontakte) launched RuStore in May 2022 as an alternative to Apple's App and Google Play Store, after Western sanctions affected Russian users' mobile software. RuStore hosts apps that are compatible with Russian regulations, it was built with the assistance of the Russian Ministry of Digital Development.

Experts from threat management company Cyfirma believe the infected GitHub page impersonating RuStore first sends a dropper module named GetAppsRu.apk.

The dropper APK is covered using DexGuard to avoid getting caught and gets permissions that allow it to pinpoint installed applications, giving it access to the device’s storage and further install packages.

Once this is done, it retrieves and deploys the main malware payload  “Telegram Premium.apk” which asks for permissions to track notifications, see clipboard data, telephony services, SMS, and a lot of other things.

What is FireScam capability?

Once executed, a deceptive WebView screen shows a Telegram login page stealing the user’s login credentials. FireScam communicates with the Firebase Realtime Database, uploads stolen data in real time, and notes the infected devices with individual identifiers to track.

According to Cyfirma, stolen data is temporarily kept in the database and wiped when the hackers filter it for needed information and copy it to another location.

The malware launches a persistent WebSocket connection with the Firebase C2 endpoint for real-time command execution- asking for specific data, downloading and installing additional payloads, prompting immediate uploads to the Firebase database, or tweaking the surveillance parameters. 

Firescam also tracks changes in screen activity, monitors on/off events, logs the running applications, and monitors activity data for events exceeding 1,000 milliseconds

Additionally, Firescam carefully monitors e-commerce payments to steal sensitive financial data. It can capture what you type, copy to clipboards, drag and drop, and hack data filled automatically from password managers. 

How to be safe?

Cyfirma offers no hints about FireScam's operators, but the researchers describe the malware as a "sophisticated and multifaceted threat" that "employs advanced evasion techniques." It suggests customers exercise caution when opening files from potentially malicious sources or clicking on unknown URLs.

Read more »
Social Media Scam
cyberattack news FireScam malware News Online Scam Social Media Scam

‘FireScam’ Malware Targets Android Users with Fake Telegram Premium App

A new Android malware named ‘FireScam’ has surfaced, disguised as a premium version of the Telegram app. Distributed through phishing websites hosted on GitHub, the malware tricks users by mimicking the interface of RuStore, Russia’s official mobile app market. This development underscores the increasing sophistication of cyber threats leveraging trusted platforms and applications. 

RuStore, launched in May 2022 by Russian internet giant VK (VKontakte) with support from the Ministry of Digital Development, was designed as an alternative to Google Play and Apple’s App Store. It was created to ensure Russian users have access to mobile software amid Western sanctions. RuStore hosts applications that comply with Russian regulations, becoming an essential tool for domestic users. However, cybercriminals have exploited RuStore’s credibility to distribute malware under the guise of legitimate applications. 

According to cybersecurity researchers at Cyfirma, the malware is delivered via a GitHub-hosted phishing page mimicking RuStore. The page provides an initial payload named GetAppsRu.apk, a dropper module obfuscated with DexGuard to bypass detection mechanisms. Once installed, the dropper module gains permissions to:

  • Identify installed apps.
  • Access device storage.
  • Install additional packages.
It then installs the main malware payload, Telegram Premium.apk, which requests extensive permissions to monitor notifications, clipboard data, SMS, and telephony services. 
  
Credential Theft and Real-Time Data Exfiltration 
 
Upon execution, FireScam displays a fake Telegram login page via a WebView screen, designed to steal Telegram credentials. The malware establishes communication with a Firebase Realtime Database, where stolen data is uploaded in real-time. Devices are registered using unique identifiers for tracking. Notably, Cyfirma reports that stolen data is temporarily stored in the Firebase database before being filtered and moved to a more secure location. FireScam also maintains a persistent WebSocket connection with a Firebase command-and-control (C2) endpoint. This enables attackers to:
  • Execute real-time commands.
  • Download and execute additional payloads.
  • Adjust surveillance settings.
  • Trigger immediate data uploads.
Advanced Surveillance Features 
 
FireScam actively monitors device activity, logging:
  • Screen on/off events.
  • Active app usage.
  • Activities lasting over 1,000 milliseconds.
A particularly concerning feature is its focus on e-commerce transactions, where it attempts to intercept sensitive financial data. The malware captures everything users type, drag, drop, or copy, including autofilled details from password managers and app-to-app exchanges. 
  
While Cyfirma has yet to identify the operators behind FireScam, they describe it as a “sophisticated and multifaceted threat” that employs advanced evasion techniques. 
 
To mitigate the risk of infection, Cyfirma advises users to:
  • Exercise caution when downloading apps, especially from untrusted sources.
  • Avoid clicking on unfamiliar links.
  • Ensure that app downloads come from official stores like Google Play or verified platforms.
The rise of malware like FireScam highlights the importance of vigilance in the digital era. Users must remain cautious, adopt secure online practices, and rely on trusted platforms to minimize the risk of falling victim to sophisticated cyber threats.
Read more »
Subscribe to: Posts (Atom)