Overview of the FireScam Malware

A dangerous piece of called FireScam Malware has been found targeting Android users by pretending to be a “premium” version of the Telegram app. Its main goal is to steal personal information and gain ongoing control over the affected device.

You might be interested in: Meta Platforms Fined €251 Million Following 2018 Data Breach

FireScam spreads through a fake app store link hosted on GitHub.io. This phishing site, rustore-apk.github[.]io, is designed to look like RuStore, which is a legitimate app marketplace in Russia created by the tech company VK. When users visit this site, they are encouraged to download a file called GetAppsRu.apk, which serves as the main dropper for the malware.

Multi-Stage Infection Process

1. Dropper APK
   • After installation, the dropper acts as the first stage of the infection. Its job is to download the main malware payload onto the device.
2. Main Payload
   • This malicious code is designed to steal various types of data—including notifications, messages, and other app information—and send it to a Firebase Realtime Database endpoint.

Permission Abuses and Persistence

• Permissions on Android 8+
  The dropper requests access to write to external storage and to install, update, or remove apps. By declaring itself as the “update owner,” it can block any valid app updates from other sources. This helps the malware maintain a foothold on the device.
• Update Ownership
  Android devices let the first installer of an app declare ownership of future updates. Once FireScam sets itself as the owner, it can stop official updates and ensure that it remains on the device without being replaced.

Obfuscation and Surveillance Tactics

FireScam uses techniques that hide its real purpose and tries to avoid detection. It tracks incoming notifications, screen states, clipboard items, e-commerce transactions, and user behavior. It can also download and handle image data from specific URLs.

Stealing Credentials

When the fake Telegram Premium app is launched, it asks for permissions to access contacts, call logs, and SMS messages. It then shows a login page for the actual Telegram website in a WebView, tricking users into entering their account details. Regardless of whether the user logs in, data collection begins.

Remote Commands and Continuous Monitoring

• Firebase Cloud Messaging (FCM)
  FireScam registers a service to receive commands from FCM, letting attackers send orders remotely to the infected device.
• WebSocket Connection
  At the same time, the malware sets up a WebSocket link with its command-and-control (C2) server to manage data theft and other malicious actions.

Additional Malicious Artifact

The same phishing site also contains another suspicious file named CDEK, likely referring to a Russian shipping and delivery service. Cyfirma, a cybersecurity firm, was unable to examine this artifact when they conducted their research.

Unknown Attackers and Tactics

It is still unclear who is behind FireScam, how potential victims are led to these phishing sites, or if methods like SMS phishing or misleading ads are used to trick users. By imitating well-known platforms like RuStore, these malicious sites gain users’ trust and convince them to download harmful applications.

Final Thoughts

FireScam’s success in collecting data and monitoring devices highlights how effective phishing-based distribution can be in infecting smartphones. Staying alert, double-checking app sources, and avoiding unknown websites are crucial steps to keep your data safe from this evolving malware threat.