An Android data stealing malware named FireScam has been discovered masquerading as a premium model of the Telegram messaging app to steal information and preserve persistent distant management over compromised gadgets.
“Disguised as a pretend ‘Telegram Premium’ app, it’s distributed via a GitHub.io-hosted phishing web site that impersonates RuStore – a preferred app retailer within the Russian Federation,” Cyfirma mentioned, describing it as a “subtle and multifaceted risk.”
“The malware employs a multi-stage an infection course of, beginning with a dropper APK, and performs in depth surveillance actions as soon as put in.”
The phishing web site in query, rustore-apk.github[.]io, mimics RuStore, an app retailer launched by Russian tech big VK within the nation, and is designed to ship a dropper APK file (“GetAppsRu.apk”).
As soon as put in, the dropper acts as a supply automobile for the principle payload, which is liable for exfiltrating delicate information, together with notifications, messages, and different app information, to a Firebase Realtime Database endpoint.
The dropper app requests a number of permissions, together with the flexibility to write down to exterior storage and set up, replace, or delete arbitrary apps on contaminated Android gadgets operating Android 8 and later.
“The ENFORCE_UPDATE_OWNERSHIP permission restricts app updates to the app’s designated proprietor. The preliminary installer of an app can declare itself the ‘replace proprietor,’ thereby controlling updates to the app,” Cyfirma famous.
“This mechanism ensures that replace makes an attempt by different installers require consumer approval earlier than continuing. By designating itself because the replace proprietor, a malicious app can stop authentic updates from different sources, thereby sustaining its persistence on the gadget.”
FireScam employs varied obfuscation and anti-analysis strategies to evade detection. It additionally retains tabs on incoming notifications, display screen state modifications, e-commerce transactions, clipboard content material, and consumer exercise to collect data of curiosity. One other notable perform is its potential to obtain and course of picture information from a specified URL.
The rogue Telegram Premium app, when launched, additional seeks customers’ permission to entry contact lists, name logs, and SMS messages, after which a login web page for the authentic Telegram web site is displayed via a WebView to steal the credentials. The info gathering course of is initiated no matter whether or not the sufferer logs in or not.
Lastly, it registers a service to obtain Firebase Cloud Messaging (FCM) notifications, permitting it to obtain distant instructions and preserve covert entry – an indication of the malware’s broad monitoring capabilities. The malware additionally concurrently establishes a WebSocket reference to its command-and-control (C2) server for information exfiltration and follow-on actions.
Cyfirma mentioned the phishing area additionally hosted one other malicious artifact named CDEK, which is probably going a reference to a Russia-based bundle and supply monitoring service. Nonetheless, the cybersecurity firm mentioned it was unable to acquire the artifact on the time of study.
It is at present not clear who the operators are, or how customers are directed to those hyperlinks, and if it entails SMS phishing or malvertising strategies.
“By mimicking authentic platforms such because the RuStore app retailer, these malicious web sites exploit consumer belief to deceive people into downloading and putting in pretend purposes,” Cyfirma mentioned.
“FireScam carries out its malicious actions, together with information exfiltration and surveillance, additional demonstrating the effectiveness of phishing-based distribution strategies in infecting gadgets and evading detection.”