An Android information stealing malware named FireScam has been found masquerading as a premium version of the Telegram messaging app to steal data and maintain persistent remote control over compromised devices.
“Disguised as a fake ‘Telegram Premium’ app, it is distributed through a GitHub.io-hosted phishing site that impersonates RuStore – a popular app store in the Russian Federation,” Cyfirma said, describing it as a “sophisticated and multifaceted threat.”
“The malware employs a multi-stage infection process, starting with a dropper APK, and performs extensive surveillance activities once installed.”
The phishing site in question, rustore-apk.github[.]io, mimics RuStore, an app store launched by Russian tech giant VK in the country, and is designed to deliver a dropper APK file (“GetAppsRu.apk”).
Once installed, the dropper acts as a delivery vehicle for the main payload, which is responsible for exfiltrating sensitive data, including notifications, messages, and other app data, to a Firebase Realtime Database endpoint.
The dropper app requests several permissions, including the ability to write to external storage and install, update, or delete arbitrary apps on infected Android devices running Android 8 and later.
“The ENFORCE_UPDATE_OWNERSHIP permission restricts app updates to the app’s designated owner. The initial installer of an app can declare itself the ‘update owner,’ thereby controlling updates to the app,” Cyfirma noted.
“This mechanism ensures that update attempts by other installers require user approval before proceeding. By designating itself as the update owner, a malicious app can prevent legitimate updates from other sources, thereby maintaining its persistence on the device.”
FireScam employs various obfuscation and anti-analysis techniques to evade detection. It also keeps tabs on incoming notifications, screen state changes, e-commerce transactions, clipboard content, and user activity to gather information of interest. Another notable function is its ability to download and process image data from a specified URL.
The rogue Telegram Premium app, when launched, further seeks users’ permission to access contact lists, call logs, and SMS messages, after which a login page for the legitimate Telegram website is displayed through a WebView to steal the credentials. The data gathering process is initiated regardless of whether the victim logs in or not.
Lastly, it registers a service to receive Firebase Cloud Messaging (FCM) notifications, allowing it to receive remote commands and maintain covert access – a sign of the malware’s broad monitoring capabilities. The malware also simultaneously establishes a WebSocket connection with its command-and-control (C2) server for data exfiltration and follow-on activities.
Cyfirma said the phishing domain also hosted another malicious artifact named CDEK, which is likely a reference to a Russia-based package and delivery tracking service. However, the cybersecurity company said it was unable to obtain the artifact at the time of analysis.
It’s currently not clear who the operators are, or how users are directed to these links, and if it involves SMS phishing or malvertising techniques.
“By mimicking legitimate platforms such as the RuStore app store, these malicious websites exploit user trust to deceive individuals into downloading and installing fake applications,” Cyfirma said.
“FireScam carries out its malicious activities, including data exfiltration and surveillance, further demonstrating the effectiveness of phishing-based distribution methods in infecting devices and evading detection.”
