New FireScam Android data-theft malware poses as Telegram Premium app
![]() 1155 Tuesday, 07 January, 2025, 18:06 A new Android malware named ‘FireScam’ is being distributed as a premium version of the Telegram app via phishing websites on GitHub that mimick the RuStore, Russia's app market for mobile devices. RuStore launched in May 2022 by the Russian internet group VK (VKontakte) as an alternative to Google Play and Apple’s App Store, following Western sanctions that impacted Russian users’ access to mobile software. It hosts apps that are compliant with Russian regulations and it was created with the support of the Russian Ministry of Digital Development. According to researchers at threat management company Cyfirma, the malicious GitHub page mimicking RuStore first delivers a dropper module called GetAppsRu.apk. The dropper APK is obfuscated using DexGuard to evade detection and acquires permissions that allow it to identify installed apps, gives it access to the device’s storage, and install additional packages. Next, it extracts and installs the main malware payload, ‘Telegram Premium.apk’, which requests permissions to monitor notifications, clipboard data, SMS, and telephony services, among others.FireScam capabilities FireScam establishes communication with a Firebase Realtime Database where it uploads stolen data in real-time and registers the compromised device with unique identifiers, for tracking purposes. Cyfirma reports that stolen data is only stored in the database temporarily and then wiped, presumably after the threat actors filtered it for valuable information and copied it to a different location. The malware also opens a persistent WebSocket connection with the Firebase C2 endpoint for real-time command execution like requesting specific data, triggering immediate uploads to the Firebase database, downloading and executing additional payloads, or adjusting the surveillance parameters. FireScam can also monitor changes in the screen activity, capturing on/off events and log the active app at the time as well as activity data for events lasting for more than 1,000 milliseconds. The malware also meticulously monitors any e-commerce transactions, attempting to capture sensitive financial data. Anything the user types, drags and drops, copies to clipboard, and intercepts even data automatically filled from password managers or exchanges between apps, categorized, and exfiltrated to the threat actors. |
Russia becomes first country to recognise Taliban government of Afghanistan
218Yesterday, 23:46"There are no longer any conditions for the operation of "Sputnik Azerbaijan" - Kiselyov
256Yesterday, 17:58Azerbaijani news websites restricted in Russia
197Yesterday, 15:58Liverpool striker Diogo Jota dies in car crash
227Yesterday, 14:58Aliyev laid the foundation stone for a railway and bus station in occupied Stepanakert
334Yesterday, 13:40UN accuses Israel of one of the world's worst genocides
295Yesterday, 13:22Passengers of the delayed Moscow-Yerevan flight have returned to Yerevan (video)
322Yesterday, 11:41#Lenta.ru: "Aliyev's son owes almost 1 million rubles for an elite mansion"
274Yesterday, 10:29