FireScam Malware: Android Users Beware of Fake Telegram App

Sophia Taylor

By Sophia Taylor

Published:

A new Android malware, dubbed FireScam, is making waves in the cybersecurity world, posing a serious threat to users worldwide. Disguised as a premium version of the popular Telegram messaging app, FireScam is being distributed through phishing websites that mimic the Russian app marketplace, RuStore. These malicious sites are hosted on GitHub.io domains and trick unsuspecting users into downloading the malware.

Fig 1. A Image of the Fake Telegram Premium App in RuStore. Source: CYFIRMA

How FireScam Works

FireScam operates using a multi-stage attack method. Initially, users are lured into downloading a dropper module called GetAppsRu.apk. This file is obfuscated to avoid detection and gains extensive permissions on the user’s device, allowing it to identify installed apps, access storage, and even install additional software. Once installed, the dropper extracts and deploys the main malware payload, disguised as “Telegram Premium.apk.”

The malware targets sensitive data by requesting permissions to monitor notifications, clipboard data, SMS, and telephony services. It can steal login credentials through a fake Telegram login screen, monitor e-commerce transactions, and intercept data from password managers or autofill features.

Fig 2. The Fake Telegram App’s Welcome and Permissions Pages. Source: CYFIRMA

Advanced Tactics for Data Theft

FireScam connects to a Firebase Realtime Database to exfiltrate stolen data in real-time. The malware also maintains a persistent connection with the Firebase command-and-control (C2) endpoint, enabling attackers to execute additional commands, adjust surveillance parameters, and download further malicious payloads.

Its capabilities don’t stop there. FireScam meticulously monitors user activity, including screen states, app usage, and any input on the device. This allows it to capture a wealth of data, including financial information and sensitive communications.

The Growing Threat to Android Users

FireScam’s advanced evasion techniques and sophisticated targeting methods highlight the evolving nature of mobile threats. By exploiting the popularity of trusted apps like Telegram and leveraging legitimate platforms such as Firebase, the malware exemplifies the increasing complexity of modern cyberattacks.

While the malware appears to focus on users within Russia due to its connection to RuStore, cybersecurity experts warn that similar tactics could easily expand to other regions and apps.

Protect Yourself Against FireScam

To stay safe from threats like FireScam, follow these essential tips:

  • Avoid Untrusted Sources: Only download apps from official app stores like Google Play.
  • Update Regularly: Keep your Android OS and apps updated to benefit from the latest security patches.
  • Be Cautious with Links: Avoid clicking on unfamiliar links or downloading files from unknown websites.
  • Use Security Software: Install reputable antivirus software to help detect and block malware such as Certo AntiSpy.
  • Stay Alert: Be skeptical of apps or services that promise premium features for free, especially from unfamiliar sources.

As FireScam demonstrates, attackers continue to develop new and sophisticated ways to exploit mobile users. Remaining vigilant and following cybersecurity best practices is crucial to protecting your personal information.