New year, new horror: โFireScamโ, a newly detected Android malware, is being spread as a counterfeit version of the Telegram Premium software via phishing websites hosted on GitHub.
According to BleepingComputer, these websites impersonate RuStore, Russiaโs government-supported app shop that started in 2022 as an alternative to Google Play and the Apple App Store in reaction to Western sanctions.
According to cybersecurity experts, the phishing sites initially offer a malicious installation package called GetAppsRu.apk, also known as a dropper module. A dropper is a piece of software that serves as a delivery mechanism for malware. This file is obfuscated using a method called DexGuard, which is intended to conceal its actual function and avoid detection by security tools. Once installed, the dropper demands authorisation to analyse installed programs, access the deviceโs storage, and install new files.
The dropper then launches the main malware, which is disguised as Telegram Premium.apk and demands wide rights to access alerts, clipboard data, SMS messages, and phone services.ย When launched, the software displays a spoof login page similar to Telegramโs design. This phoney screen collects user credentials and transmits them to the attackers. Not enjoyable, is it?
FireScam interfaces with a remote database using Firebase, a legal cloud platform. It uploads stolen data in real time and assigns devices unique IDs for tracking. The virus may also keep constant connection with Firebase in order to receive orders, download further harmful files, and change its monitoring operations.
Furthermore, FireScam diligently monitors user activities, such as screen changes and e-commerce transactions, in order to collect vital financial data. It records everything users enter, copy, or interact with, including information autofilled by password managers or transferred across applications. This information is transmitted to the attackers after being classified as valuable stuff. It was definitely not enjoyable!
Researchers point to FireScamโs complex design and use of advanced evasion strategies, which make it extremely hazardous. While the attackersโ identities are unknown, the study recommends users to be cautious while installing programs, avoid files from untrustworthy sources, and avoid clicking on unfamiliar links to reduce the chance of falling victim to such assaults. You simply need to do so.
