- FireScam is an information stealing malware with spyware capabilities.
It is distributed as a fake ‘Telegram Premium’ APK via a phishing website hosted on the GitHub.io domain, mimicking the RuStore app store.
- The phishing website delivers a dropper that installs the FireScam malware disguised as the Telegram Premium application.
- The malware exfiltrates sensitive data, including notifications, messages, and other app data, to a Firebase Realtime Database endpoint.
- FireScam monitors device activities such as screen state changes, e-commerce transactions, clipboard activity, and user engagement to gather valuable information covertly.
- Captures notifications across various apps, including system apps, to potentially steal sensitive information and track user activities.
- It employs obfuscation techniques to hide its intent and evade detection by security tools and researchers.
- FireScam performs checks to identify if it is running in an analysis or virtualized environment.
- The malware leverages Firebase for command-and-control communication, data storage, and to deliver additional malicious payloads.
- Exfiltrated data is temporarily stored in the Firebase Realtime Database, filtered for valuable content, and later removed.
- The Firebase database reveals potential Telegram IDs linked to the threat actors and contains URLs to other malware specimens hosted on the phishing site.
- By exploiting the popularity of messaging apps and other widely used applications, FireScam poses a significant threat to individuals and organizations worldwide.
4815 links
