HQ/EMEAFind out how we can help your business
A new malicious operation distributes the new FireScam malware by offering it as a premium version of the Telegram app. The primary vector of this new malware dissemination campaign is composed of phishing websites on GitHub that display a similar Russian mobile app market dubbed RuStore.
The impersonated app store is a Russian alternative to Google Play and App Store. It was developed with the assistance of the Russian Ministry of Digital Development in response to restrictions limiting Russian consumers’ access to mobile software. The store hosts apps that comply with Russian legislation.
The researchers explained that the malicious GitHub website that mimics RuStore initially downloads a dropper module called GetAppsRu.apk. The operators obfuscate the dropper APK with DexGuard and grant permissions to identify installed programs, access the device’s storage, and install additional packages.
Subsequently, it extracts and installs the primary malware payload, ‘Telegram Premium.apk,’ which demands permission for various capabilities, including monitoring alerts, clipboard data, SMS, and telephony services.
The FireScam malware has various capabilities.
According to investigations, the FireScam malware executes using a fake WebView screen displaying a Telegram login page that could steal a user’s messaging credentials.
The malware then communicates with a Firebase Realtime Database, uploading stolen data in real-time and registering the infected device with unique identifiers for tracking purposes. The researchers stated that the stolen data is only momentarily maintained in the database before being erased.
The malware also establishes a persistent WebSocket connection with the Firebase C2 endpoint for command execution, such as requesting specific data, starting quick uploads to the Firebase database, downloading and deploying more payloads, or modifying surveillance parameters.
FireScam can also monitor changes in screen activity, collecting on/off events and logging the active app at the time. It can also collect activity information for events lasting longer than 1,000 milliseconds.
Furthermore, this spyware watches all e-commerce transactions to obtain critical financial information.
Anything a user writes, drags and drops, transfers to the clipboard, or intercepts, including data automatically populated from password managers or app exchanges, is categorised and exfiltrated to an attacker-controlled server.
Users must be vigilant when opening files from potentially hostile sources or clicking on unknown files to avoid getting infected by this new malware.
