In the current malware campaign, criminals are trying to trick unsuspecting victims into installing fake Telegram Premium apps on phishing sites. However, the “firescam” that steals information ends up on Android smartphones.
Advertisement
in detail Cyfirma’s IT researchers describe the analysis Malware. The “firescam” on a phishing page hosted on the Github.io domain is posed as a fake “Telegram Premium App” that mimics RuStore – an app store of Russian VK Cosmos. However, instead of premium features in Telegram, there is a massive data leak.
installation with rocker
According to the analysis, the phishing site initially distributes an installer with the file name “GetAppsRu.apk” and around 5 MB file size. This installs a package called “ru.store.installer”. A program icon named “GetAppsRu” has also been created. Tapping it launches a dropper that offers to install Telegram Premium with the tap of an “Install” button. After a security question asking if users want to install this app, which is displayed as “Telegram Premium”, the FireScam malware gets installed. An installation package “Telegram Premium.apk” of approximately 3 MB size has been executed for this purpose.
FireScam contacts a command-and-control endpoint on Firebase and listens for Firebase Cloud Messaging (FCM) notifications. The malware also sends stolen data there. Among other things, the device data of the infected Android smartphone is initially stored after installation. The malware then monitors the messaging app and forwards the content of text messages, as well as activating and deactivating the cell phone screen. FireScam sends some information, such as marked conversations or alerts, to the control server; Specifically, messages from Telegram, WhatsApp, Viber and VK apps are on InfoStealer’s list. Monitoring of infected devices is extremely comprehensive; Like e-commerce transactions, the clipboard is also under surveillance. Malware may load additional malicious functions.
RCS with iPhone: Not all carriers have support in GermanyIn order not to attract attention immediately, FireScam also provides the expected functions: when it starts, a dialog appears claiming that Telegram Premium functions are now accessible, then asks for further permissions and finally by using the webview. Accesses the genuine Telegram website and offers log-in there. Regardless of whether victims enter real or false data, the information transfer begins at this point and Telegram then sends the conversation data to the mastermind behind the malware.
At the end of the analysis, Cyfirma’s IT researchers list indicators of compromise (IOCs) that interested parties can use to see if malware is installed and active.
Dangerous fake apps are not only hidden on external sites. Late last year, Zscaler’s IT security researchers reported that they had discovered more than 200 malware-infected apps in Google’s Play Store over the past 12 months, totaling nearly eight million installations.
(DMK)
iPhone 17 Air: Could be so thin and expensive!
