FireScam Malware Masquerades as Telegram to Steal Data

FireScam, a new Android malware, disguises itself as a Telegram Premium app to steal sensitive data and control infected devices. Distributed through phishing websites, it poses as a legitimate application from RuStore, a trusted app store in Russia.

The malware uses a sophisticated infection process starting with a dropper APK. Once installed, it exfiltrates data like messages, notifications, and app details to an external Firebase database. The dropper app also requests excessive permissions, including the ability to install and delete apps. This tactic ensures the malware maintains control and persists on devices running Android 8 or later.

One key feature of FireScam is its ability to block legitimate app updates. By designating itself as the “update owner,” it prevents other installers from overriding the malicious app without user consent. This method ensures it remains active on the infected device.

The malware also uses anti-detection techniques to avoid security systems. It monitors user activities such as incoming notifications, screen state changes, and clipboard content. Additionally, it downloads and processes image data from specified URLs to aid its spying efforts.

When the fake Telegram Premium app launches, it tricks users into granting access to contact lists, call logs, and SMS messages. It then displays a fraudulent login page mimicking Telegram’s website to capture login credentials. These actions occur even if the victim does not log in.

FireScam registers itself to receive Firebase Cloud Messaging (FCM) notifications. This setup allows remote commands from its operators. It also establishes a WebSocket connection with its command-and-control server for ongoing surveillance and data theft.

The phishing site hosting FireScam also appears to offer other malware like CDEK, a reference to a Russian package tracking service. However, researchers could not fully analyze this artifact. While the exact distribution methods are unclear, they may involve SMS phishing or online advertisements.

“By imitating trusted platforms like RuStore, FireScam exploits user trust to spread fake apps,” researchers noted. “This malware effectively combines phishing and obfuscation techniques to conduct surveillance and steal data without detection.”

Preventing FireScam Attacks

To protect against FireScam, users should only download apps from verified sources like Google Play. Avoid clicking on suspicious links in SMS or emails. Regularly update your Android device and install reliable mobile security software. Businesses should also train employees on phishing risks and conduct regular security audits to detect unusual activity early.