Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Friday January 10, @10:09AM   Printer-friendly
from the be-careful-out-there dept.

Arthur T Knackerbracket has processed the following story:

Android malware dubbed FireScam tricks people into thinking they are downloading a Telegram Premium application that stealthily monitors victims' notifications, text messages, and app activity, while stealing sensitive information via Firebase services.

Cyfirma researchers spotted the new infostealer with spyware capabilities and said the malware is distributed through a GitHub.io-hosted phishing website that mimics RuStore, a popular Russian Federation app store.

The phishing site delivers a dropper named ru[.]store[.]installer and it installs as GetAppsRu[.]apk. When launched, it prompts users to install Telegram Premium.

Of course, this isn't really the messaging app but rather the FireScam malware, and it targets devices running Android 8 through 15.

Once installed, it requests a series of permissions that allow it to query and list all installed applications on the device, access and modify external storage, and install and delete other apps.

Plus, one of the permissions designates the miscreant who installed FireScam as the app's "update owner," thus preventing legitimate updates from other sources and enabling the malware to maintain persistence on the victim's device.

Attackers can use the infostealer/surveillance malware to intercept and steal sensitive device and personal information, including notifications, messages, other app data, clipboard content, and USSD responses, which may include account balances, mobile transactions, or network-related data.

"These logs are then exfiltrated to a Firebase database, granting attackers remote access to the captured details without the user's knowledge," Cyfirma's researchers noted.

Stolen data is temporarily stored in the Firebase Realtime Database, filtered for valuable information, and then later removed.

This use of legitimate services – specifically Firebase, in this case, for data exfiltration and command-and-control (C2) communications – also helps the malware evade detection and is a tactic increasingly used to disguise malicious traffic and payloads.


Original Submission

This discussion was created by hubie (1068) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Funny) by Anonymous Coward on Friday January 10, @05:56PM

    by Anonymous Coward on Friday January 10, @05:56PM (#1388277)

    It's a russian app.

    -----
    Slava Ukraini! Slay the orcs!

  • (Score: 1, Interesting) by Anonymous Coward on Saturday January 11, @12:06AM (3 children)

    by Anonymous Coward on Saturday January 11, @12:06AM (#1388338)

    https://www.breitbart.com/tech/2025/01/10/candy-crush-tinder-myfitnesspal-among-thousands-of-apps-exploited-to-harvest-location-data/ [breitbart.com]

    I use several old expired Android phones ( useless for voice/texts ) for interfacing to business. I do my day-to-day banking on one, manage my retirement plan on another, Amazon / eBay get one, and the oddball gets all my store loyalty apps and miscellaneous browsing, and my name is nowhere in it. That way I can satisfy several needs...business can demand I agree to whatever, businesses can share whatever they can get out of it, and I can still sleep at night knowing the "free burger with purchase" phone isn't ratting my financial credentials onto the web, as I did not take the time to study all that business talk under the "agree" button.

    I've just read enough that I know most will insist I grant them free run in my machine and I hold them harmless for any harm they may do. So I let them play around in some old phone I got out of a recycle bin in exchange for letting me buy something.

    • (Score: 0) by Anonymous Coward on Saturday January 11, @03:41AM (2 children)

      by Anonymous Coward on Saturday January 11, @03:41AM (#1388356)

      > I use several old expired Android phones ...

      I'm ignorant of how this might work:
      It sounds like you don't have phone/data plans for these smart phones?
      Do they work off your home Wi-Fi?
      Or some other internet connection?
      Do they need a sim chip at all?

      • (Score: 0) by Anonymous Coward on Saturday January 11, @01:27PM (1 child)

        by Anonymous Coward on Saturday January 11, @01:27PM (#1388390)

        ( parent responding )

        I have another Android with a data plan, tetherable.

          I set up it's Wi-Fi hotspot. Back in the pocket it goes. It's now just a wireless access point to the internet

        On my expired phone, I use it's Wi-Fi interface to log into my hotspot. Even though the phone won't access a cell tower, I can still use it to run apps. Including any that needs to see the internet. However anything that needs SMS or phone connections won't work.

        If I do get snookered, I can easily reset the phone to factory and reload my apps.

        I don't put any personal information in the one I use promiscuously. If I get nailed, so be it. Reset and don't revisit. Or maybe visit on purpose just to see what they are doing using a packet capture program.

        And the ones I have personal info on, I don't willy-nilly browse the web with them.

        I have vetted a FTP server to use to transfer any files amongst my systems by logging onto my local ad-hoc Intranet hotspot. I maintain a Wi-Fi wireless access point, sans Internet connection, just for that purpose. My machines can then see each other, but the Internet is not around.

        • (Score: 0) by Anonymous Coward on Saturday January 11, @01:30PM

          by Anonymous Coward on Saturday January 11, @01:30PM (#1388391)

          Forgot...no, the expired phones do not need a sim chip, but if you leave it in, you can still place 911 emergency calls on them.

(1)