FireScam Android Spyware Campaign Poses 'Significant Threat Worldwide'FireScam Android Spyware Campaign Poses 'Significant Threat Worldwide'
A fake Telegram Premium app delivers information-stealing malware, in a prime example of the rising threat of adversaries leveraging everyday applications, researchers say.
January 6, 2025
UPDATE: This story was updated on 1-10-25 to include a statement from a Google spokesperson.
A new advanced Android spyware threat called "FireScam" is using a fake Telegram Premium application to drop an infostealer on victims' phones that is able to track, monitor, and collect sensitive data on its victims.
Researchers at Cyfirma behind a new FireScam analysis said the campaign is part of a wider trend of threat actors finding success disguising malware as legitimate applications and services. In this case, they are abusing Firebase, a legitimate cloud platform widely used by developers of Google mobile and Web applications.
"By capitalizing on the widespread usage of popular apps and legitimate services like Firebase, FireScam exemplifies the advanced tactics used by modern malware to evade detection, execute data theft, and maintain persistent control over compromised devices," the report explained. "By exploiting the popularity of messaging apps and other widely used applications, FireScam poses a significant threat to individuals and organizations worldwide."
The infection routine starts with a phishing site hosted on the GitHbub[dot]io domain, dressed up to look like the RuStore app store, the report said. The site delivers a malicious version of Telegram Premium, which then steals data from the targeted Android device, including notifications, messages, and more, and sends it to a Firebase Realtime Database endpoint.
Once installed, FireScam uses regular checks and analysis, command-and-control communications (C2), and data storage to maintain persistence and deliver additional malware, as needed, the report added.
"The FireScam malware campaign reveals a worrying development in the mobile threat landscape: malware targeting Android devices is becoming increasingly sophisticated," Eric Schwake, director of cybersecurity strategy at Salt Security, said in a statement. "Although using phishing websites for malware distribution is not a new tactic, FireScam's specific methods — such as masquerading as the Telegram Premium app and utilizing the RuStore app store — illustrate attackers' evolving techniques to mislead and compromise unsuspecting users."
Solutions for Stopping Spyware Like FireScam
With these threats becoming increasingly sophisticated, it's important for cyber defenders to focus on anomalous app activity, according to a statement from Stephen Kowski, field CTO at SlashNext Email Security+.
"Real-time mobile app scanning and continuous monitoring are crucial safeguards, as these attacks often bypass traditional security measures by exploiting user trust and legitimate distribution channels," Kowski wrote. "The key to protecting against such threats is implementing security solutions that can detect suspicious permission requests and unauthorized app behaviors before sensitive data is compromised."
Schwake added that protecting application programming interfaces (APIs) can also help protect users from increasingly convincing phishing lures.
"Although this specific malware doesn't directly leverage APIs, it emphasizes the risk of attackers using compromised devices to access sensitive data and systems through mobile app APIs," Schwake explains. "Organizations must emphasize strong API security measures, including robust authentication, authorization, and encryption, to guard against unauthorized access and data breaches, even when they stem from compromised mobile devices."
A Google spokesperson provided a statement clarifying protections in place against the spyware.
“Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services,” according to a statement provided by a Google spokesperson. “Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."
About the Author
You May Also Like