The Firestarter Trojan is a new Android loader malware that abuses the legitimate Firebase Cloud Messaging (FCM) service to communicate with its Command-and-Control (C2, C&C) infrastructure. Firebase is a subsidiary of the tech giant Google, and their FCM service is a cross-platform cloud tool for messages and notifications for Android, iOS, and other Web applications.
The Firestarter Trojan was detected as part of the operations of the advanced persistent threat group called DoNot. The malware threat showcases DoNot's efforts to bolster the persistence of their footholds established on the compromised devices. It also demonstrates the hackers' ability to adopt new techniques and implement them into their malware tools quickly. DoNot's primary focus has remained on the South Asia region and, more specifically, India and Pakistan consistently.
Although it has not been confirmed decisively, the most likely distribution vector of the Firestarter loader is through socially-engineered direct messages that try to trick the unsuspecting users into installing a threatening application that pretends to be a chat platform. The names of the application's files - ashmir_sample.apk or Kashmir_Voice_v4.8.apk, showcase DoNot's continued interest in the Kashmir crisis.
Firestarter Trojan Abuses Legitimate Service
Once executed, the malware application initiates a diversion routine that includes several fake error messages being displayed to the user in an attempt to hide its threatening activity. The messages state falsely that the application is not supported and that it will be uninstalled. To pretend as if the application is no longer installed, its icon will be removed from the user interface. However, going through the device's settings will show that the application is still present on the device and working in the background.
The main functionality of the Firestarter Trojan is to establish a connection with the C2 servers and to deliver and deploy the malware payload. In its outbound communication, the loader sends a Google FCM token that contains various system information, including IP address, geolocation, IMEI and email address. This initial information helps hackers determine whether the target is worthy of being infected with the main malware threat. If they decide to proceed, the cybercriminals return an FCM message to the loader containing the link from where it has to fetch the payload.
The fact that the Firestarter Trojan traffic exploits a legitimate service helps it to better blend in with the rest of the communication generated by the Android OS using the Google infrastructure. Another measure against easy-detection is the post-compromise download of the threatening payload, which minimizes the malware threat's initial footprint that needs to infiltrate the targeted device.