FireScam Mobile Malware
A newly identified Android threat named FireScam has been uncovered. It disguises itself as an enhanced version of the Telegram messaging app. This deceptive tactic enables the threatening software to extract sensitive user data and sustain persistent remote access to compromised devices.
Table of Contents
A Clever Disguise: Fake Telegram Premium Application
FireScam is distributed under the guise of a counterfeit 'Telegram Premium' application. It spreads through a phishing website hosted on GitHub.io, which falsely presents itself as RuStore—a well-known app marketplace in Russia. Security analysts describe this mobile threat as complex and highly adaptable. Once installed, it follows a multi-stage infection process, beginning with a dropper APK that facilitates extensive surveillance.
The fraudulent site, rustore-apk.github.io, mimics RuStore's interface and is designed to trick users into downloading a dropper APK file called 'GetAppsRu.apk.'
The Dropper’s Role in FireScam’s Attack
After installation, the dropper serves as a delivery mechanism for the primary payload. This core component is responsible for collecting and transmitting sensitive information—such as messages, notifications, and application data—to a Firebase Realtime Database.
To strengthen its control, the dropper requests multiple permissions, which include access to external storage and the ability to install, update, or remove applications on Android devices running version 8 and newer.
A particularly concerning aspect of FireScam is its exploitation of the ENFORCE_UPDATE_OWNERSHIP permission. This Android feature allows an application's original installer to become its 'update owner,' meaning only the designated owner can initiate updates. By leveraging this mechanism, FireScam can block legitimate updates from other sources, ensuring its continued presence on the infected device.
Advanced Evasion and Surveillance Features
FireScam employs obfuscation techniques to resist detection and analysis. It actively monitors incoming notifications, changes in screen state, user activity, clipboard content, and even online transactions. The threat is also capable of downloading and processing images from a remote server, adding another layer to its surveillance capabilities.
When launched, the rogue Telegram Premium app requests permission to access users' contacts, call logs, and SMS messages. It then presents a login page that mirrors the official Telegram website via a WebView, attempting to capture user credentials. However, the data collection process is triggered even if the user does not enter their login details.
Maintaining Persistent Remote Access
One of FireScam's more insidious functions is its ability to register for Firebase Cloud Messaging (FCM) notifications. This allows the threat to receive remote instructions and maintain ongoing covert access to the device. Additionally, it establishes a WebSocket connection with its command-and-control (C2) server to facilitate data theft and execute further unsafe actions.
Other Harmful Components and Unanswered Questions
Researchers also identified another harmful artifact hosted on the phishing domain, referred to as 'CDEK.' This name likely references a Russian logistics and package-tracking service, suggesting broader malicious activity beyond FireScam alone.
It remains unclear who is behind this operation or how users are being directed to these phishing links. Potential tactics could involve SMS phishing (smishing) or malvertising campaigns. By imitating legitimate services like RuStore, these deceptive websites manipulate user trust to convince individuals to download fraudulent applications.
FireScam's ability to exfiltrate data and conduct surveillance underscores the risks associated with phishing-driven distribution methods. This case highlights the ongoing challenges in protecting Android users from threats that exploit social engineering and trust in well-known platforms.
