06/68 Monday, January 6, 2025
The Android malware FireScam has been discovered masquerading as a Telegram Premium app and spreading through a phishing website hosted on GitHub that mimics the appearance of RuStore, a Russian app marketplace. RuStore was launched in 2022 as an alternative to Google Play and the App Store following tech sanctions on Russia. According to reports from Cyfirma, a cybersecurity firm, the fake website prompts users to download a file named GetAppsRu.apk, which acts as a dropper module encrypted with DexGuard to evade detection. The dropper requests access to device data, such as installed apps and storage, and installs additional malware.
Once the dropper is activated, it installs Telegram Premium.apk and requests key permissions, including access to notifications, clipboard data, and SMS messages. The malware also presents a fake WebView login page designed to resemble the Telegram login interface to steal user credentials. The stolen data is sent to a Firebase Realtime Database before being filtered and transferred to another endpoint. Additionally, it connects to Firebase C2 via WebSocket for real-time command execution, including downloading and running new code.
Cyfirma noted that FireScam is a sophisticated malware that employs advanced evasion techniques, such as monitoring app usage, detecting online transactions, and stealing data entered through the clipboard and password managers. The company advises users to be cautious when downloading files from untrusted sources and to avoid clicking suspicious links to minimize the risk of falling victim to this malware.
