Android Malware 'FireScam' Poses As Telegram Premium to Steal User Data
App News

Android Malware ‘FireScam’ Poses As Telegram Premium to Steal User Data

The latest Android called ‘FireScam’ is being shared as a premium variant of the application through phishing sites on GitHub that impersonate the RuStore, a Russian app market for mobile devices.

About FireScam vulnerability

Russian internet group VK (VKontakte) launched RuStore in May 2022 as an alternative to Apple’s App and Google Play Store, after Western sanctions affected Russian users’ mobile software. RuStore hosts apps that are compatible with Russian regulations, it was built with the assistance of the Russian Ministry of Digital Development.

Experts from threat management company Cyfirma believe the infected GitHub page impersonating RuStore first sends a dropper module named GetAppsRu.apk.

The dropper APK is covered using DexGuard to avoid getting caught and gets permissions that allow it to pinpoint installed applications, giving it access to the device’s storage and further install packages.

Once this is done, it retrieves and deploys the main malware payload  “Telegram Premium.apk” which asks for permissions to track notifications, see clipboard data, telephony services, SMS, and a lot of other things.

Related Posts

TikTok Launches Updated Video Editor App

Apple Seemingly Working on New ‘Invites’ App to Manage…

What is FireScam capability?

Once executed, a deceptive WebView screen shows a Telegram login page stealing the user’s login credentials. FireScam communicates with the Firebase Realtime Database, uploads stolen data in real time, and notes the infected devices with individual identifiers to track.

According to Cyfirma, stolen data is temporarily kept in the database and wiped when the hackers filter it for needed information and copy it to another location.

The malware launches a persistent WebSocket connection with the Firebase C2 endpoint for real-time command execution Industrydata, downloading and installing additional payloads, prompting immediate uploads to the Firebase database, or tweaking the surveillance parameters.

Firescam also tracks changes in screen activity, monitors on/off events, logs the running applications, and monitors activity data for events exceeding 1,000 milliseconds

Additionally, Firescam carefully monitors e-commerce payments to steal sensitive financial data. It can capture what you type, copy to clipboards, drag and drop, and hack data filled automatically from password managers.

You might also like

TikTok Shares Update on its Efforts to Separate EU User Data

WhatsApp Replace Phone Numbers With Usernames

Apple Music new ‘radio spins’ data for artists and labels

WhatsApp rolling out refreshed design for iOS and Android

Comments are closed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More