mobile phones, 08.01.2025, 10:00 AM
Company researchers Cyfirma discovered FireScam, an Android malware disguised as a premium version of the popular Telegram app, “Telegram Premium”, which steals data and maintains continuous remote control over infected devices.
FireScam is the latest example of information-stealing malware masquerading as a legitimate application. Use tactics social engineering i phishing to compromise users’ devices and steal sensitive data such as login details, financial information and messages, posing a significant threat to users’ privacy.
FireScam primarily spreads through phishing websites designed to look like popular app stores. In this case, the malware is disguised as a “Telegram Premium” app and distributed via a phishing website hosted by GitHub.io, which resembles RuStore, a well-known Russian app store owned by Russian tech giant VK. This strategy leverages users’ trust in well-known app stores.
Device infection takes place in several stages, starting with an APK file with a dropper (“GetAppsRu.apk”). When the malware is installed, it performs extensive monitoring of the device.
Once installed on the victim’s device, the dropper becomes the delivery vehicle for the main malware. It requires permissions to view the list of installed applications, access external memory, delete and install applications and update without user consent. It also restricts app updates on infected Android devices running Android 8 and above, ensuring persistence on the device. The malware designates itself as the owner of the update, and thus can prevent legitimate updates from other sources.
FireScam has numerous malicious features designed to steal sensitive user data and track device activity. It exfiltrates sensitive data, including real-time notifications, messages, and application data, and actively monitors notifications in various applications, capturing sensitive information and tracking user activity. It also steals financial data such as account balances and mobile transaction details.
Malware actively monitors the clipboard, content shared between applications and screen state changes. It can also track user activity in e-commerce applications, including purchases or refunds. It monitors screen activity and relays important events to a command and control server controlled by the attacker.
FireScam uses advanced techniques to avoid detection, including sandbox detection mechanisms.
The fake Telegram Premium app, when launched, asks for the user’s permission to access contact lists, call logs, and SMS messages, after which a login page to the legitimate Telegram website is displayed via WebView to steal credentials. The data collection process is initiated regardless of whether the victim reports or not.
Its continuous monitoring of device activity allows attackers to exploit user behavior for malicious purposes such as phishing attacks, identity theft, and financial fraud. The presence of malware can threaten the confidentiality and integrity of sensitive data, affecting individuals and organizations, especially those who handle sensitive information.
Source: www.informacija.rs
