FireScam infostealer poses as Telegram Premium app to surveil Android devices

updated Android malware dubbed FireScam tricks people into thinking they are downloading a Telegram Premium application that stealthily monitors victims' notifications, text messages, and app activity, while stealing sensitive information via Firebase services.

Cyfirma researchers spotted the new infostealer with spyware capabilities and said the malware is distributed through a GitHub.io-hosted phishing website that mimics RuStore, a popular Russian Federation app store.

The phishing site delivers a dropper named ru[.]store[.]installer and it installs as GetAppsRu[.]apk. When launched, it prompts users to install Telegram Premium.

Of course, this isn't really the messaging app but rather the FireScam malware, and it targets devices running Android 8 through 15.

Once installed, it requests a series of permissions that allow it to query and list all installed applications on the device, access and modify external storage, and install and delete other apps.

Plus, one of the permissions designates the miscreant who installed FireScam as the app's "update owner," thus preventing legitimate updates from other sources and enabling the malware to maintain persistence on the victim's device.

Attackers can use the infostealer/surveillance malware to intercept and steal sensitive device and personal information, including notifications, messages, other app data, clipboard content, and USSD responses, which may include account balances, mobile transactions, or network-related data.

"These logs are then exfiltrated to a Firebase database, granting attackers remote access to the captured details without the user's knowledge," Cyfirma's researchers noted.

Stolen data is temporarily stored in the Firebase Realtime Database, filtered for valuable information, and then later removed.

• How Androxgh0st rose from Mozi's ashes to become 'most prevalent malware'
• Phishers cast wide net with spoofed Google Calendar invites
• Android beefs up Bluetooth tag stalker protections
• Victims lose $70K to one single wallet-draining app on Google's Play Store

This use of legitimate services – specifically Firebase, in this case, for data exfiltration and command-and-control (C2) communications – also helps the malware evade detection and is a tactic increasingly used to disguise malicious traffic and payloads.

FireScam registers a service to receive Firebase Cloud Messaging (FCM) notifications. Whenever the app receives a Firebase push notification, this triggers the messaging service.

This can be used to receive remote commands from the C2 server and execute specific actions, and silently deliver additional malicious payloads that can be downloaded and installed remotely.

"The app can also exfiltrate sensitive data from the device to a remote server without the user's awareness, maintaining continuous communication with the remote server even when the app is not actively in the foreground," the researchers warned.

This communication also makes it more difficult for security tools to detect. Plus, the malware profiles the device, which allows it to tailor its behavior to specific environments and further bypass security controls. ®

Updated to add at 1915 UTC on January 10, 2025

A Google spokesperson told The Register on Friday, "Based on our current detection, no apps containing this malware are present on Google Play."

"Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play," the spokesperson said.