Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

FireScam Android Malware Packs Infostealer, Spyware Capabilities

The FireScam Android infostealer monitors app notifications and harvests credentials and financial data and sends it to a Firebase database.

Android malware

A recently identified Android malware described as an information stealer and spyware has broad monitoring capabilities that allow it to harvest and exfiltrate sensitive information from numerous applications, threat landscape management company Cyfirma reports.

Dubbed FireScam, the malware is distributed disguised as the ‘Telegram Premium’ application, through a phishing website that mimics the legitimate RuStore application store.

The phishing website, hosted on the github[.]io domain, serves a dropper named ‘ru.store.installer’, which installs FireScam on devices running Android 8 and newer.

Once installed on the victim’s device, the dropper requests permissions to query and list all installed applications, to access and modify external storage, to delete and install applications, and to update applications without the user’s consent.

It also declares itself as its designated owner and restricts app updates to it, preventing other installers to update it, which acts as a mechanism for maintaining persistence on the device.

When launched, the dropper presents the option to install Telegram Premium, which is, in fact, the FireScam malware, Cyfirma says. The infostealer requests additional permissions that allow it to run in the background unrestricted.

The malware also checks process names at runtime, checks installed applications, and fingerprints the device, likely to detect whether it is running in a sandboxed or virtualized environment.

FireScam registers a service to check for Firebase Cloud Messaging (FCM) notifications, which allows it to receive commands from its command-and-control (C&C) server, and defines permissions to control access to it, effectively creating a backdoor for communication between the malware and its components.

Advertisement. Scroll to continue reading.

The malware can harvest sensitive device information and messages, silently intercept and log USSD responses, track and manipulate USSD interactions, monitor clipboard and content sharing, monitor user engagement and ecommerce transactions, and monitor screen state changes and notifications for a broad range of applications.

The gathered information is exfiltrated to a Firebase Realtime Database URL, and the malware can also download and process image data from a specified URL, which could potentially allow it to fetch and execute other malicious payloads.

These broad monitoring capabilities allow FireScam to stealthily observe and record system activities and trigger response actions when needed, Cyfirma notes.

“This malware employs advanced evasion techniques – abusing legitimate services like Firebase and leverages phishing websites for distribution. Its capabilities to monitor diverse device activities, intercept sensitive information, and exfiltrate data to remote servers highlight its potential impact on user privacy and security,” Cyfirma says.

“Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson said in an emailed statement.

*Updated with statement from Google.

Related: Source Code of $3,000-a-Month macOS Malware ‘Banshee Stealer’ Leaked

Related: Recent Version of LightSpy iOS Malware Packs Destructive Capabilities

Related: New Campaign Leverages BitBucket to Deliver Arsenal of Malware

Related: Vendor-Neutral Initiative Sets Bare-Minimum Baseline for Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.