summary
FireScam malware: FireScam disguises itself as the “Telegram Premium” app and targets Android users via phishing websites that mimic trusted app stores. Malicious features: Steal sensitive data, monitor apps, track device activity, and ensure persistence through advanced permissions. Evasion Techniques: FireScam uses obfuscation, access restrictions, and sandbox detection to evade traditional security measures. How it’s exploited: Social engineering and phishing tactics exploit user trust, leading to identity theft and financial fraud. Defense recommendations: Experts advise using antivirus software, performing regular updates, and monitoring app behavior to strengthen your mobile security.
Cybersecurity researchers at Cyfirma believe that given the rapid adoption of mobile applications and the increasing number of incidents related to the embedding of malware in these applications, attackers have a valuable opportunity to exploit innocent users. I observed that I was given an opportunity.
According to their research shared with Hackread.com, FireScam is the latest example of information-stealing malware disguised as a legitimate application targeting Android devices. Researchers wrote in a blog post that they use social engineering tactics and phishing techniques to compromise users’ devices and steal sensitive data such as login credentials, financial information, and personal messages, posing a serious threat to user privacy. He pointed out that
FireScam primarily spreads through phishing websites designed to mimic popular app stores. In this case, the malware is disguised as the “Telegram Premium” app and distributed via a phishing website hosted by GitHub.io, similar to RuStore, a prominent app store in the Russian Federation. This deceptive strategy takes advantage of users’ trust in established app stores and tricks them into downloading malicious APK files.
Fake Telegram Premium (via Cyfirma)
Once installed on a victim’s device, the dropper grants permission to query and list installed applications, access external storage, remove and install applications, and update without user consent. Declares itself as the designated owner, restricts app updates, prevents updates by other installers, and ensures device persistence.
FireScam has a wide range of malicious features designed to steal sensitive user data and monitor device activity. Extract sensitive data such as notifications, messages, and app data into Firebase Realtime Database endpoints to actively monitor notifications across different apps to capture sensitive information and track user activity. Additionally, it intercepts USSD responses and compromises financial data such as account balances and mobile transaction details.
The malware actively monitors the clipboard, content shared between apps, and changes in device state. It can also track user activity within e-commerce apps, such as purchases and refunds, and primarily targets messaging apps, capturing and exfiltrating content to remote servers. Monitors screen activity and uploads important events to a command and control server.
When it comes to evasion, FireScam uses advanced obfuscation techniques, dynamic receiver limited access control, and sandbox detection mechanisms to evade detection. You can also receive and execute commands via Firebase Cloud Messaging notifications for remote control.
Continuously monitoring device activity allows attackers to exploit user behavior for malicious purposes such as phishing attacks, identity theft, and financial fraud. The presence of this malware can compromise the confidentiality and integrity of sensitive data, potentially impacting individuals and organizations, especially those that handle sensitive information. This highlights the need to use reliable antivirus software, perform regular software updates, and be vigilant online.
Stephen Kowski, field CTO for SlashNext Email Security+, told Hackread.com, “Cybercriminals exploit trusted brands like Telegram’s premium branding. Firebase Cloud Messaging relies on advanced mobile threat detection, real-time apps to combat these advanced attacks that exploit user trust and legitimate channels. Scanning and continuous monitoring are essential.”
Related topics
DroidBot Android Spyware Banks Target Cryptocurrency Users Android Malware Ajina.Banker Steals 2FA Codes Via Telegram GSMS Stealer Attacks Android Users Via Malicious Apps and Ads Android/FakeApp Trojan in 8 Apps in Google Play Store Octo2 malware containing a jockey horse infects Android devices using fake NordVPN app
Source link
