Researchers found a new threat actively targeting Android users. Identified as FireScam, this Android malware usually targets Russian users by posing as Telegram Premium.
FireScam Android Malware Being Distributed Via Fake RuStore App
According to a recent post from the cybersecurity firm Cyfirma, a new Android malware is actively targeting Russian users in the wild. It exhibits all major malicious capabilities required for a potent malware, such as evading security checks, maintaining persistence on the target device, and stealing data.
Specifically, the malware, identified as “FireScam,” spreads via phishing websites to lure victims. Predominantly, the malware is being distributed via fake RuStore app (a Russian app store), which is basically a GitHub.io-hosted phishing site. Given the exploitation of an otherwise legit app name (RuStore), the malware works well to trick the users into downloading it by posing as Telegram Premium app.
Downloading the malicious app actually installs a malware dropper APK, which further downloads and installs the FireScam payload. Once downloaded, the malware establishes persistent access on the device. Next, it performs various sneaky functionalities, such as exfiltrating messages, notifications, and other data, monitoring device screen status changes, transactions, and clipboard activity, and employing obfuscation to evade detection. It also employs techniques to detect emulators and VM environments and escape monitoring.
These sneaky functionalities make the malware appear more like spyware. It first temporarily sends the stolen information to a Firebase Realtime Database endpoint. Later, the information is filtered and moved from the Firebase storage to another private storage.
This malware aims to target a wide range of users, infecting devices running Android 8 to the latest Android 15.
The researchers have shared a detailed technical analysis of this malware in their post.
Since threat actors also use phishing to distribute this malware, users must pay attention to the websites they interact with. Likewise, avoiding interactions with unsolicited emails, messages, and other sources sharing random URLs can also help prevent such threats.
Let us know your thoughts in the comments.