The name of an Android malware that steals information FireScam was found masquerading as a premium version of Telegram messaging app to steal data and maintain constant remote control over compromised devices.
“Disguised as a fake ‘Telegram Premium’ app, it is distributed via a phishing site on GitHub.io that pretends to be RuStore, a popular app store in the Russian Federation,” Cyfirma reported. saiddescribing it as a “complex and multi-faceted threat”.
“The malware uses a multi-stage infection process starting with an APK dropper and performs extensive surveillance activities after installation.”
The phishing site in question, rustore-apk.github(.)io, impersonates RuStore, an app store launched by Russian tech giant VK in the country, and is designed to deliver an APK dropper file (“GetAppsRu.apk”).
Once installed, the dropper acts as a means of delivering the core payload responsible for transferring sensitive data, including notifications, messages, and other application data, to the Firebase Realtime database endpoint.
The dropper app requests several permissions, including the ability to write to external storage and install, update, or uninstall arbitrary apps on infected Android devices running Android 8 and later.
“The ENFORCE_UPDATE_OWNERSHIP permission restricts application updates to the designated application owner. The original installer of the app can declare itself the ‘update owner’, thereby controlling updates to the app,” Cyfirma noted.
“This mechanism ensures that update attempts by other installers require user approval before proceeding. By marking itself as the owner of the update, the malware can prevent legitimate updates from other sources, thereby maintaining its persistence on the device.”
FireScam uses various obfuscation and anti-analysis techniques to avoid detection. It also tracks incoming notifications, screen state changes, e-commerce transactions, clipboard contents, and user actions to gather interesting information. Another notable feature is the ability to download and process image data from a specified URL.
The Telegram Premium app, upon launch, asks users for permission to access contact lists, call logs, and SMS messages, and then displays a login page to a legitimate Telegram website via WebView for credential theft. The data collection process is triggered regardless of whether the victim is logged in or not.
Finally, it registers a service to receive Firebase Cloud Messaging (FCM) notifications, allowing it to receive remote commands and support stealth access – a sign of the malware’s extensive monitoring capabilities. The malware also simultaneously establishes a WebSocket connection to its command-and-control (C2) server for data theft and follow-up.
Cyfirma said the phishing domain also hosted another malicious artifact called CDEK, which is believed to be a link to a Russian parcel tracking and delivery service. However, the cybersecurity firm said it was unable to retrieve the artifact at the time of analysis.
It is currently unclear who the operator is, or how users are directed to these links, and whether it involves SMS phishing or malicious advertising techniques.
“By mimicking legitimate platforms such as the RuStore app store, these malicious websites exploit users’ trust to trick them into downloading and installing fake apps,” Cyfirma said.
“FireScam carries out its malicious activities including data theft and surveillance, further demonstrating the effectiveness of phishing-based distribution methods in infecting devices and evading detection.”
