Title | Firescam Android Malware Masquerades As Telegram Premium App | |
Date | Friday January 10, @10:09AM | |
Author | hubie | |
Topic | ||
from the be-careful-out-there dept. |
Arthur T Knackerbracket has processed the following story:
Android malware dubbed FireScam tricks people into thinking they are downloading a Telegram Premium application that stealthily monitors victims' notifications, text messages, and app activity, while stealing sensitive information via Firebase services.
Cyfirma researchers spotted the new infostealer with spyware capabilities and said the malware is distributed through a GitHub.io-hosted phishing website that mimics RuStore, a popular Russian Federation app store.
The phishing site delivers a dropper named ru[.]store[.]installer and it installs as GetAppsRu[.]apk. When launched, it prompts users to install Telegram Premium.
Of course, this isn't really the messaging app but rather the FireScam malware, and it targets devices running Android 8 through 15.
Once installed, it requests a series of permissions that allow it to query and list all installed applications on the device, access and modify external storage, and install and delete other apps.
Plus, one of the permissions designates the miscreant who installed FireScam as the app's "update owner," thus preventing legitimate updates from other sources and enabling the malware to maintain persistence on the victim's device.
Attackers can use the infostealer/surveillance malware to intercept and steal sensitive device and personal information, including notifications, messages, other app data, clipboard content, and USSD responses, which may include account balances, mobile transactions, or network-related data.
"These logs are then exfiltrated to a Firebase database, granting attackers remote access to the captured details without the user's knowledge," Cyfirma's researchers noted.
Stolen data is temporarily stored in the Firebase Realtime Database, filtered for valuable information, and then later removed.
This use of legitimate services – specifically Firebase, in this case, for data exfiltration and command-and-control (C2) communications – also helps the malware evade detection and is a tactic increasingly used to disguise malicious traffic and payloads.
Links |
printed from SoylentNews, Firescam Android Malware Masquerades As Telegram Premium App on 2025-01-24 07:29:07