Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label FireScam. Show all posts
Telegram
Android Malware Fake Apps FireScam malware Social Media Telegram

FireScam Malware Targets Android Users via Fake Telegram Premium App

Android Malware 'FireScam' Poses As Telegram Premium to Steal User Data


A newly discovered Android malware, FireScam, is being distributed through phishing websites on GitHub, masquerading as a premium version of the Telegram application. These malicious sites impersonate RuStore, a Russian app marketplace, to deceive users into downloading the infected software.

How FireScam Operates

RuStore, launched by Russian tech giant VK (VKontakte) in May 2022, was developed as an alternative to Apple's App Store and Google Play following Western sanctions that restricted Russian users' access to global platforms. This marketplace hosts apps that comply with Russian regulations and operates under the oversight of the Russian Ministry of Digital Development.

According to security researchers at CYFIRMA, attackers have set up a fraudulent GitHub page mimicking RuStore. This fake website delivers a dropper module named GetAppsRu.apk. Once installed, the dropper requests extensive permissions, allowing it to scan installed applications, access device storage, and install additional software. It then downloads and executes the main malware payload, disguised as Telegram Premium.apk. This secondary payload enables the malware to monitor notifications, read clipboard data, access SMS and call information, and collect other sensitive details.

FireScam’s Advanced Capabilities

Once activated, FireScam presents users with a deceptive WebView-based Telegram login page designed to steal credentials. The malware communicates with Firebase Realtime Database, allowing stolen data to be uploaded instantly. It also assigns unique identifiers to compromised devices, enabling hackers to track them.

Stolen data is temporarily stored before being filtered and transferred to another location, ensuring that traces are erased from Firebase. Additionally, FireScam establishes a persistent WebSocket connection with the Firebase command-and-control (C2) server, enabling real-time command execution. This allows attackers to:

  • Request specific data from the infected device
  • Install additional payloads
  • Modify surveillance parameters
  • Initiate immediate data uploads

Furthermore, the malware can:

  • Monitor screen activity and app usage
  • Track changes in screen on/off states
  • Log keystrokes, clipboard data, and credentials stored in password managers
  • Intercept and steal e-commerce payment details

How to Stay Safe

While the identity of FireScam’s operators remains unknown, CYFIRMA researchers warn that the malware exhibits advanced evasion techniques and poses a serious threat to users. To minimize the risk of infection, users should:

  • Avoid downloading apps from unverified sources, especially those claiming to be premium versions of popular software.
  • Exercise caution when opening links from unknown sources.
  • Regularly review and restrict app permissions to prevent unauthorized data access.
  • Use reliable security solutions to detect and block malware threats.

As attackers continue refining their tactics, staying vigilant against phishing campaigns and suspicious downloads is essential to protecting personal and financial data.


Read more »
Social Media Scam
cyberattack news FireScam malware News Online Scam Social Media Scam

FireScam Malware Disguised as Telegram Premium Spreads via Phishing Sites

A new Android malware called FireScam is being distributed through phishing websites hosted on GitHub, masquerading as a premium version of the Telegram app. These fraudulent sites mimic RuStore, Russia’s official mobile app marketplace, tricking users into downloading the malware. This incident highlights how cybercriminals exploit trusted platforms to deploy sophisticated threats.

RuStore was launched in May 2022 by Russian tech company VK (VKontakte) with support from the Ministry of Digital Development as an alternative to Google Play and Apple’s App Store. It was designed to provide Russian users access to mobile applications despite Western sanctions. Cybercriminals have taken advantage of RuStore’s credibility by creating phishing pages that distribute malware under the guise of legitimate applications. According to security researchers at CYFIRMA, attackers have set up a GitHub-hosted phishing page impersonating RuStore, delivering an initial malware payload named GetAppsRu.apk.

Once installed, the dropper module requests multiple permissions, allowing it to identify installed applications, access device storage, and install additional software. It then downloads and installs the primary malware payload, disguised as Telegram Premium.apk. This second-stage malware requests extensive permissions, enabling it to monitor notifications, read clipboard data, access SMS and call information, and track user activity.

FireScam displays a fake Telegram login page via WebView to steal user credentials. The malware then communicates with Firebase Realtime Database, where stolen data is uploaded in real time. Each infected device is assigned a unique identifier, allowing attackers to track it. According to CYFIRMA, the stolen data is temporarily stored in Firebase before being filtered and transferred to another location. FireScam maintains a persistent WebSocket connection with a Firebase-based command-and-control (C2) endpoint, allowing attackers to execute real-time commands, download and install additional payloads, modify surveillance settings, and trigger immediate data uploads.

FireScam continuously tracks various device activities, including screen on/off events, active app usage, and user interactions lasting over 1,000 milliseconds. One of its most concerning features is its focus on e-commerce transactions. The malware attempts to intercept sensitive financial data by logging keystrokes, tracking clipboard content, and extracting auto-filled credentials from password managers.

While the identity of FireScam’s operators remains unknown, CYFIRMA researchers describe it as a sophisticated and multifaceted threat that employs advanced evasion techniques. To minimize the risk of infection, users should avoid downloading apps from unverified sources, be cautious when clicking on unfamiliar links, download applications only from official platforms like Google Play or verified stores, and regularly review and restrict app permissions to prevent unauthorized data access. The rise of malware like FireScam underscores the growing need for cybersecurity awareness. Staying vigilant and adopting secure online practices is essential to protecting personal and financial data from evolving cyber threats.

Read more »
Subscribe to: Posts (Atom)