An Android infostealer malware called FireScam disguised as a fake Telegram Premium app was discovered being distributed through a GitHub.io phishing site that impersonates the RuStore, a popular app store used in Russia.
Cyfirma researchers explained Dec. 30 that the FireScam malware looks to exfiltrate sensitive Android data, including notifications, messages, and other app data, to a Firebase Realtime Database endpoint.
The FireScam malware monitors Android device activities, such as screen state changes, e-commerce transactions, clipboard activity, and user engagement to gather valuable information covertly.
“By capitalizing on the widespread usage of popular apps [like Telegram] and legitimate services like Firebase, FireScam exemplifies the advanced tactics used by modern malware to evade detection, execute data theft, and maintain persistent control over compromised devices,” wrote the Cyfirma researchers.
FireScam's broad monitoring and persistence on Androids concerning
T. Frank Downs, senior director of proactive services at BlueVoyant, pointed out that Telegram is one of the most widely used messaging apps globally, especially in Russia, where it has surpassed WhatsApp in traffic volume as of 2023.
Downs said there are multiple unique aspects that make FireScam especially nefarious, starting with its persistence and broad monitoring capabilities. Downs said the malware's ability to designate itself as the primary app updater prevents other installers from modifying it, ensuring a persistent presence on the device. Additionally, its capacity to intercept, hide, and manipulate unstructured supplementary service data (USSD) is noteworthy, said Downs, as USSD can sometimes involve sensitive data like authentication codes.
“Broadly speaking, any Android user who’s not vigilant about security is at risk from this malware,” said Downs. “However, given that it’s distributed through a phishing website mimicking the RuStore app store, it seems that Russian Android users are the primary targets. That said, it’s difficult to determine to what end Russians may be targeted due to the sweeping level of exploitation this malware enables.”
Eric Schwake, director of cybersecurity strategy at Salt Security, said that the FireScam malware campaign reveals a worrying development in the mobile threat landscape: malware targeting Android devices is becoming increasingly sophisticated.
“Although using phishing websites for malware distribution is not a new tactic, FireScam's specific methods — such as masquerading as the Telegram Premium app and utilizing the RuStore app store — illustrate attackers' evolving techniques to mislead and compromise unsuspecting users,” said Schwake. “This situation highlights the critical need for securing APIs, which often serve as the foundation of mobile applications. Although this specific malware doesn't directly leverage APIs, it emphasizes the risk of attackers using compromised devices to access sensitive data and systems through mobile app APIs.”
Stephen Kowski, Field CTO at SlashNext Email Security, explained that the FireScam malware’s sophistication lies in its ability to maintain persistence through clever permission manipulation and its use of Firebase Cloud Messaging for command and control: techniques that highlight the need for advanced mobile threat detection that can identify malicious behaviors beyond simple signature matching.
“Real-time mobile app scanning and continuous monitoring are crucial safeguards, as these attacks often bypass traditional security measures by exploiting user trust and legitimate distribution channels,” said Kowski. “The key to protecting against such threats is implementing security solutions that can detect suspicious permission requests and unauthorized app behaviors before sensitive data is compromised.”
Matt Bromiley, lead solutions engineer at LimaCharlie, said anytime an app can offer a Premium service for “free,” it’s likely to garner more attention and receive more downloads. Bromiley said we often see similar campaigns using other messaging apps, hoping to trick users into downloading the malicious/hijacked version.
“This type of campaign is effective as it seeks out victims looking for popular applications,” said Bromiley. “Messaging applications like Telegram are used by millions, thus, the target pool is very large and can lead to a significant number of downloads and installs. Furthermore, very few users actually read/inspect the list of permissions requested by an application — they simply click 'Accept' or 'Yes,' and move past the warnings. This is another reason why malware can request such vast, powerful permissions with success.”
