Cybersecurity experts have uncovered a new malware strain named FireScam, which disguises itself as a premium version of Telegram for Android. Researchers at CyFirma have determined that the malware is designed to steal user credentials and sensitive personal information.
The attackers distribute FireScam through a fake GitHub page mimicking RuStore, a Russian app marketplace. RuStore, launched by VK in May 2022 as a domestic alternative to Google Play and the App Store, serves as an official platform for distributing mobile applications in Russia.
FireScam operates through a two-stage mechanism. First, a dropper named GetAppsRu.apk, obfuscated using DexGuard, is installed. This dropper requests critical system permissions. Subsequently, the main malicious module, Telegram Premium.apk, is deployed, granting the malware access to notifications, the clipboard, and SMS messages.
Upon activation, FireScam displays a fake Telegram login screen to harvest user credentials. It employs Firebase Realtime Database for instant data exfiltration and tracks devices via unique identifiers. A WebSocket connection to Firebase’s command server enables real-time command execution.
The malware boasts extensive surveillance capabilities, including monitoring screen activity, tracking active applications, intercepting financial transactions, and capturing input data and clipboard contents. Special emphasis is placed on extracting information from password managers.
Given the advanced technical sophistication of FireScam and its highly developed obfuscation techniques, CyFirma experts strongly advise users to download applications exclusively from official sources and exercise caution when following external links.
