FireScam is a dropper malware disguised as a fake Telegram Premium app distributed via a phishing website mimicking RuStore, which steals notifications, messages, and app data from compromised devices and monitors user activities.Â
The malware leverages Firebase for communication, data storage, and to deliver additional payloads, which obfuscates its code and detects virtualized environments to evade analysis. FireScam exploits the popularity of messaging apps to target users and steal sensitive information.
A phishing website that pretends to be RuStore is the source of this malware, which is disguised as a fake Telegram Premium app and distributed to Android devices.Â
Once installed, it steals sensitive information like notifications, messages, clipboard content, etc. by monitoring device activities and exfiltrates the data to a Firebase Realtime Database.
It performs the function of a delivery agent for the primary payload, which is safeguarded by DexGuard and encrypts strings contained within the APK in order to make data analysis more difficult.
The FireScam malware also employs protection using NP Manager, which safeguards the core package ru.get.app against analysis and reverse engineering through encryption, obfuscation, hiding details, and confusion.
The malicious app registers a Firebase Cloud Messaging (FCM) service to receive remote commands and exfiltrate data by exploiting Dynamic Broadcast Receivers with restricted access to establish a backdoor for communication with other compromised apps.
In order to steal information about the device, messages, screen on/off events, and USSD responses, the application takes advantage of the Firebase Realtime Database.
It monitors notification content and clipboard data to capture sensitive information like passwords and messages. By combining these techniques, the app steals user data and grants attackers unauthorized access to the compromised device.
The malicious Android application disguised itself as the legitimate Telegram app, and after installation, it requests extensive permissions, including access to contacts, messages, and notifications.Â
It then monitors user activity, including app usage, screen time, and e-commerce transactions, while captured data, such as messages, call logs, and notification content, is exfiltrated to a Firebase server controlled by the threat actor.
The malware also attempts to download and execute additional payloads, potentially enabling further malicious activities, and by leveraging legitimate services like Firebase and mimicking the Telegram interface, FireScam aims to evade detection while covertly stealing sensitive user information.
FireScam, a sophisticated Android malware disguised as a Telegram app, exfiltrates sensitive user data to the Firebase Realtime Database, leverages Firebase Cloud Messaging for remote command execution and employs WebSocket for persistent communication with its C2 server.
It monitors various device activities, including notifications, clipboard, screen activity, and USSD responses, which also capture user credentials through a fake Telegram login page and steal data from messaging apps and e-commerce transactions.
According to Cyfirma, FireScam utilizes obfuscation techniques and sandbox detection mechanisms to evade analysis and detection, posing a significant threat to user privacy and security.
