An Android info stealing malware named FireScam has been discovered masquerading as a premium model of the Telegram messaging app to steal information and keep persistent distant management over compromised units.
“Disguised as a pretend ‘Telegram Premium’ app, it’s distributed by a GitHub.io-hosted phishing website that impersonates RuStore – a well-liked app retailer within the Russian Federation,” Cyfirma stated, describing it as a “refined and multifaceted risk.”
“The malware employs a multi-stage an infection course of, beginning with a dropper APK, and performs intensive surveillance actions as soon as put in.”
The phishing website in query, rustore-apk.github[.]io, mimics RuStore, an app retailer launched by Russian tech big VK within the nation, and is designed to ship a dropper APK file (“GetAppsRu.apk”).
As soon as put in, the dropper acts as a supply automobile for the principle payload, which is answerable for exfiltrating delicate information, together with notifications, messages, and different app information, to a Firebase Realtime Database endpoint.
The dropper app requests a number of permissions, together with the flexibility to put in writing to exterior storage and set up, replace, or delete arbitrary apps on contaminated Android units operating Android 8 and later.
“The ENFORCE_UPDATE_OWNERSHIP permission restricts app updates to the app’s designated proprietor. The preliminary installer of an app can declare itself the ‘replace proprietor,’ thereby controlling updates to the app,” Cyfirma famous.
“This mechanism ensures that replace makes an attempt by different installers require consumer approval earlier than continuing. By designating itself because the replace proprietor, a malicious app can forestall reliable updates from different sources, thereby sustaining its persistence on the machine.”
FireScam employs numerous obfuscation and anti-analysis strategies to evade detection. It additionally retains tabs on incoming notifications, display screen state adjustments, e-commerce transactions, clipboard content material, and consumer exercise to collect info of curiosity. One other notable operate is its capacity to obtain and course of picture information from a specified URL.
The rogue Telegram Premium app, when launched, additional seeks customers’ permission to entry contact lists, name logs, and SMS messages, after which a login web page for the reliable Telegram web site is displayed by a WebView to steal the credentials. The information gathering course of is initiated no matter whether or not the sufferer logs in or not.
Lastly, it registers a service to obtain Firebase Cloud Messaging (FCM) notifications, permitting it to obtain distant instructions and keep covert entry – an indication of the malware’s broad monitoring capabilities. The malware additionally concurrently establishes a WebSocket reference to its command-and-control (C2) server for information exfiltration and follow-on actions.
Cyfirma stated the phishing area additionally hosted one other malicious artifact named CDEK, which is probably going a reference to the Russia-based package deal and supply monitoring service. Nevertheless, the cybersecurity firm stated it was unable to acquire the artifact on the time of research.
It is presently not clear who the operators are, or how customers are directed to those hyperlinks, and if it includes SMS phishing or malvertising strategies.
“By mimicking reliable platforms such because the RuStore app retailer, these malicious web sites exploit consumer belief to deceive people into downloading and putting in pretend purposes,” Cyfirma stated.
“FireScam carries out its malicious actions, together with information exfiltration and surveillance, additional demonstrating the effectiveness of phishing-based distribution strategies in infecting units and evading detection.”
