FireScam is multi-stage malware disguised as a faux “Telegram Premium” app that steals knowledge and maintains persistence on compromised gadgets and leverages phishing web sites to distribute its payload and infiltrate Android gadgets.
It’s Android malware disguised as a faux Telegram Premium app distributed by way of a phishing web site mimicking RuStore, which steals person knowledge like notifications, messages, and clipboard content material and exfiltrates it to the Firebase Realtime Database.
Technical Evaluation
Exfiltrated knowledge is initially saved within the Firebase Realtime Database at “https[:]//androidscamru-default-rtdb[.]firebaseio[.]com” earlier than potential filtering and switch to a personal location.
The Firebase Realtime Database evaluation revealed potential Telegram IDs of menace actors and malware customers beneath the ‘customers’ tag, whereas beneath the ‘app’ tag, the database uncovered the URL of a phishing web site internet hosting dropper malware.
Phishing web sites mimicking reputable platforms like RuStore efficiently distribute malware like FireScam, which exploits person belief to ship malicious functions equivalent to “Telegram Premium,” usually evading detection by means of obfuscation methods and superior persistence mechanisms.
GetAppsRu.apk is a malicious dropper protected by DexGuard that queries put in apps and reads or writes exterior storage.
It installs or updates different apps with out person consent and delivers FireScam malware disguised as Telegram Premium.apk on gadgets working Android 8 to fifteen.
FireScam makes use of NP Supervisor to obfuscate its core bundle ru.get.app, making reverse engineering troublesome, and in addition employs empty class inheritance and course of identify verification to doubtlessly evade sandbox detection.
Additionally it is able to figuring out virtualized environments by fingerprinting system particulars, which might doubtlessly optimize its assault and permit it to avoid safety guards.
An app utilizing Firebase Cloud Messaging (FCM) can obtain distant instructions and exfiltrate knowledge whereas sustaining persistent communication with a distant server, doubtlessly bypassing safety measures.
A malicious app exploits dynamic broadcast receivers with customized permissions to create a backdoor for communication and abuses the Firebase Realtime Database to exfiltrate delicate system info, together with system identify, app identify, notification textual content, and timestamps.
It stealthily installs and executes on the sufferer’s system by requesting vital permissions. It leverages Firebase for registration and makes an attempt C2DM integration whereas initiating knowledge exfiltration by accessing contacts, messages, and doubtlessly different delicate info.
In line with Cyfirma, FireScam exfiltrates delicate knowledge from compromised gadgets to a Firebase C2 server utilizing TLS-encrypted GET requests.
These requests, mixed with a WebSocket improve, allow real-time bidirectional communication to facilitate knowledge exfiltration and command-and-control operations.
An Android malware disguised as Telegram Premium makes use of Firebase for evasion and steals delicate knowledge by distributing by means of phishing web sites.
It screens system exercise and exfiltrates info to distant servers, posing a big menace to person privateness and safety.
ANY.RUN Menace Intelligence Lookup - Extract Hundreds of thousands of IOC's for Interactive Malware Evaluation: Attempt for Free