Headline
New FireScam Infostealer Spyware Hits Android via Fake Telegram Premium
Researchers at Cyfirma have discovered FireScam, an Android malware disguised as ‘Telegram Premium’ that steals data, monitors activity, and infiltrates devices. Learn about its distribution, functionality, and the impact on user privacy.
****SUMMARY****
FireScam Malware: FireScam disguises itself as a “Telegram Premium” app to target Android users via phishing websites mimicking trusted app stores.
Malicious Capabilities: It steals sensitive data, monitors apps, tracks device activity, and ensures persistence through advanced permissions.
Evasion Techniques: FireScam uses obfuscation, restricted access, and sandbox detection to bypass traditional security measures.
Exploitation Methods: Social engineering and phishing tactics exploit user trust, leading to identity theft and financial fraud.
Defense Recommendations: Experts advise using antivirus software, performing regular updates, and monitoring app behavior for enhanced mobile security.
The rapid adoption of mobile applications has provided threat actors with a valuable opportunity to exploit innocent users given the increasing number of incidents involving embedding of malware in these apps, observed cybersecurity researchers at Cyfirma.
According to their investigation, shared with Hackread.com, FireScam is the latest example of information-stealing malware veiled as a legitimate application to target Android devices. It leverages social engineering tactics and phishing techniques to compromise users’ devices and steals sensitive data like login credentials, financial information, and personal messages, posing a significant threat to user privacy, researchers noted in the blog post.
FireScam primarily spreads through phishing websites designed to mimic popular app stores. In this case, the malware is disguised as a “Telegram Premium” app and distributed via a GitHub.io-hosted phishing website resembling RuStore, a prominent app store in the Russian Federation. This deceptive strategy capitalizes on user trust in established app stores, luring them into downloading the malicious APK file.
Fake Telegram Premium (Via Cyfirma)
The dropper, once installed on the victim’s device, grants permissions to query and list installed applications, access external storage, delete and install applications, and update without user consent. It declares itself as its designated owner and restricts app updates, preventing other installers from updating it, and ensuring device persistence.
FireScam possesses extensive malicious functionalities designed to steal sensitive user data and monitor device activities. It exfiltrates sensitive data, including notifications, messages, and app data, to a Firebase Realtime Database endpoint, and actively monitors notifications across various apps, capturing sensitive information and tracking user activities. Moreover, it intercepts USSD responses, compromising financial data like account balances and mobile transaction details.
The malware actively monitors the clipboard, content shared between apps, and device state changes. It can also track user activity within e-commerce apps, including purchases or refunds and primarily targets messaging apps, capturing content and exfiltrating it to remote servers. It monitors screen activity and uploads important events to its command-and-control server.
Regarding evasion, FireScam uses advanced obfuscation techniques, restricted access control for dynamic receivers, and sandbox detection mechanisms to evade detection. It can also receive and execute commands via Firebase Cloud Messaging notifications for remote control.
Its continuous monitoring of device activities allows attackers to exploit user behaviour for malicious purposes like phishing attacks, identity theft, and financial fraud. The malware’s presence can compromise the confidentiality and integrity of sensitive data, affecting individuals and organizations, especially those handling sensitive information. This highlights the need for using reliable antivirus software, performing regular software updates, and exercising vigilance online.
Stephen Kowski, Field CTO at SlashNext Email Security+, told Hackread.com, “Cybercriminals exploit trusted brands like Telegram’s premium name. FireScam’s persistence relies on permission manipulation and Firebase Cloud Messaging. Advanced mobile threat detection, real-time app scanning, and continuous monitoring are critical to countering such sophisticated attacks that exploit user trust and legitimate channels.“
- DroidBot Android Spyware Targeting Banking, Crypto Users
- Android Malware Ajina.Banker Steals 2FA Codes via Telegram
- GSMS Stealer Hits Android Users via Malicious Apps and Ads
- 8 Apps on Google Play Store Contain Android/FakeApp Trojan
- Octo2 Malware Uses Fake NordVPN App to Infect Android Devices