An Android info stealing malware named FireScam has been discovered masquerading as a premium model of the Telegram messaging app to steal information and preserve persistent distant management over compromised gadgets.
“Disguised as a pretend ‘Telegram Premium’ app, it’s distributed by a GitHub.io-hosted phishing website that impersonates RuStore – a preferred app retailer within the Russian Federation,” Cyfirma mentioned, describing it as a “subtle and multifaceted menace.”
“The malware employs a multi-stage an infection course of, beginning with a dropper APK, and performs intensive surveillance actions as soon as put in.”
The phishing website in query, rustore-apk.github[.]io, mimics RuStore, an app retailer launched by Russian tech large VK within the nation, and is designed to ship a dropper APK file (“GetAppsRu.apk”).
As soon as put in, the dropper acts as a supply car for the primary payload, which is liable for exfiltrating delicate information, together with notifications, messages, and different app information, to a Firebase Realtime Database endpoint.
The dropper app requests a number of permissions, together with the flexibility to put in writing to exterior storage and set up, replace, or delete arbitrary apps on contaminated Android gadgets operating Android 8 and later.
“The ENFORCE_UPDATE_OWNERSHIP permission restricts app updates to the app’s designated proprietor. The preliminary installer of an app can declare itself the ‘replace proprietor,’ thereby controlling updates to the app,” Cyfirma famous.
“This mechanism ensures that replace makes an attempt by different installers require consumer approval earlier than continuing. By designating itself because the replace proprietor, a malicious app can stop professional updates from different sources, thereby sustaining its persistence on the machine.”
FireScam employs varied obfuscation and anti-analysis methods to evade detection. It additionally retains tabs on incoming notifications, display state adjustments, e-commerce transactions, clipboard content material, and consumer exercise to collect info of curiosity. One other notable operate is its capability to obtain and course of picture information from a specified URL.
The rogue Telegram Premium app, when launched, additional seeks customers’ permission to entry contact lists, name logs, and SMS messages, after which a login web page for the professional Telegram web site is displayed by a WebView to steal the credentials. The info gathering course of is initiated no matter whether or not the sufferer logs in or not.
Lastly, it registers a service to obtain Firebase Cloud Messaging (FCM) notifications, permitting it to obtain distant instructions and preserve covert entry – an indication of the malware’s broad monitoring capabilities. The malware additionally concurrently establishes a WebSocket reference to its command-and-control (C2) server for information exfiltration and follow-on actions.
Cyfirma mentioned the phishing area additionally hosted one other malicious artifact named CDEK, which is probably going a reference to the Russia-based package deal and supply monitoring service. Nevertheless, the cybersecurity firm mentioned it was unable to acquire the artifact on the time of study.
It is at present not clear who the operators are, or how customers are directed to those hyperlinks, and if it includes SMS phishing or malvertising methods.
“By mimicking professional platforms such because the RuStore app retailer, these malicious web sites exploit consumer belief to deceive people into downloading and putting in pretend functions,” Cyfirma mentioned.
“FireScam carries out its malicious actions, together with information exfiltration and surveillance, additional demonstrating the effectiveness of phishing-based distribution strategies in infecting gadgets and evading detection.”
