A sophisticated Android malware known as FireScam has emerged, masquerading as a premium version of the Telegram messaging app to exfiltrate data and secure persistent control over compromised devices.
“This malicious software, disguised as a counterfeit ‘Telegram Premium’ application, is propagated via a phishing site hosted on GitHub.io, cleverly impersonating RuStore—a prominent app store in Russia,” Cyfirma explained, labeling it a “complex and multifaceted threat.”
The malware employs a multi-layered infection strategy, beginning with a dropper APK, which initiates surveillance once installed on the victim’s device.
Phishing Infrastructure and Malware Deployment
The phishing site, rustore-apk.github[.]io, mimics the legitimate RuStore platform, a creation of Russian tech conglomerate VK. This counterfeit site delivers the initial infection vector—a dropper APK file named GetAppsRu.apk.
Once executed, the dropper app facilitates the deployment of the primary malware payload. This payload siphons sensitive information such as notifications, messages, and app-specific data, transmitting it to a Firebase Realtime Database endpoint.
To entrench itself on devices running Android 8 or later, the dropper requests elevated permissions, including the ability to modify external storage and install or remove applications.
An insidious feature involves the ENFORCE_UPDATE_OWNERSHIP permission, allowing the app to declare itself as the “update owner.” This prevents legitimate updates from other sources without explicit user consent, thus reinforcing the malware’s persistence.
Espionage and Data Harvesting Techniques
FireScam employs a host of obfuscation and anti-analysis mechanisms to evade detection. Its surveillance capabilities include monitoring incoming notifications, clipboard activities, screen states, and e-commerce transactions. Furthermore, it can process image data from specified URLs and extract valuable user insights.
When launched, the rogue Telegram Premium app seeks permissions to access contacts, SMS logs, and call records. Simultaneously, it opens a WebView interface that mimics Telegram’s legitimate login page to steal user credentials. Notably, the data extraction process proceeds irrespective of whether the victim provides login details.
The malware also establishes a Firebase Cloud Messaging (FCM) service to receive remote commands and maintain clandestine device access. Additionally, it creates a WebSocket connection to its command-and-control (C2) server for continuous data exfiltration and further malicious operations.
Additional Malicious Components and Attribution Challenges
Interestingly, the phishing domain associated with FireScam also hosted another malicious file referred to as CDEK, potentially exploiting the name of a Russian package tracking service. However, Cyfirma was unable to retrieve this artifact during its investigation.
The identities of FireScam’s operators and the exact methods used to lure users to these phishing sites remain unclear. The campaign may involve techniques such as SMS phishing (smishing) or malvertising.
Exploitation of User Trust
“By mimicking trusted platforms like RuStore, these phishing schemes capitalize on user confidence, tricking individuals into installing fake applications,” Cyfirma noted. “FireScam’s ability to carry out surveillance and data theft underscores the efficacy of phishing-based malware distribution.”
This campaign serves as a reminder of the persistent threats posed by cleverly disguised malware and the importance of user vigilance in downloading applications only from trusted, verified sources.