A recently identified Android malware described as an information stealer and spyware has broad monitoring capabilities that allow it to harvest and exfiltrate sensitive information from numerous applications, threat landscape management company Cyfirma reports.
Dubbed FireScam, the malware is distributed disguised as the ‘Telegram Premium’ application, through a phishing website that mimics the legitimate RuStore application store.
The phishing website, hosted on the github[.]io domain, serves a dropper named ‘ru.store.installer’, which installs FireScam on devices running Android 8 and newer.
Once installed on the victim’s device, the dropper requests permissions to query and list all installed applications, to access and modify external storage, to delete and install applications, and to update applications without the user’s consent.
It also declares itself as its designated owner and restricts app updates to it, preventing other installers to update it, which acts as a mechanism for maintaining persistence on the device.
When launched, the dropper presents the option to install Telegram Premium, which is, in fact, the FireScam malware, Cyfirma says. The infostealer requests additional permissions that allow it to run in the background unrestricted.
The malware also checks process names at runtime, checks installed applications, and fingerprints the device, likely to detect whether it is running in a sandboxed or virtualized environment.
FireScam registers a service to check for Firebase Cloud Messaging (FCM) notifications, which allows it to receive commands from its command-and-control (C&C) server, and defines permissions to control access to it, effectively creating a backdoor for communication between the malware and its components.
The malware can harvest sensitive device information and messages, silently intercept and log USSD responses, track and manipulate USSD interactions, monitor clipboard and content sharing, monitor user engagement and ecommerce transactions, and monitor screen state changes and notifications for a broad range of applications.
The gathered information is exfiltrated to a Firebase Realtime Database URL, and the malware can also download and process image data from a specified URL, which could potentially allow it to fetch and execute other malicious payloads.
These broad monitoring capabilities allow FireScam to stealthily observe and record system activities and trigger response actions when needed, Cyfirma notes.
“This malware employs advanced evasion techniques – abusing legitimate services like Firebase and leverages phishing websites for distribution. Its capabilities to monitor diverse device activities, intercept sensitive information, and exfiltrate data to remote servers highlight its potential impact on user privacy and security,” Cyfirma says.
“Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson said in an emailed statement.
*Updated with statement from Google.
Related: Source Code of $3,000-a-Month macOS Malware ‘Banshee Stealer’ Leaked
Related: Recent Version of LightSpy iOS Malware Packs Destructive Capabilities
Related: New Campaign Leverages BitBucket to Deliver Arsenal of Malware
Related: Vendor-Neutral Initiative Sets Bare-Minimum Baseline for Security