FireScam Android Malware Poses as Telegram Premium to Steal Data and Control Devices

An Android information stealing malware named FireScam has been found masquerading as a premium version of the Telegram messaging app to steal data and maintain persistent remote control over compromised devices. "Disguised as a fake 'Telegram Premium' app, it is distributed through a GitHub.io-hosted phishing site that impersonates RuStore – a popular app store in the Russian Federation," Cyfirma said, describing it as a "sophisticated and multifaceted threat." "The malware employs a multi-stage infection process, starting with a dropper APK, and performs extensive surveillance activities once installed." The phishing site in question, rustore-apk.github[.]io, mimics RuStore, an app store launched by Russian tech giant VK in the country, and is designed to deliver a dropper APK file ("GetAppsRu.apk"). Once installed, the dropper acts as a delivery vehicle for the main payload, which is responsible for exfiltrating sensitive data, including notifications, messages, and other app data, to a Firebase Realtime Database endpoint. The dropper app requests several permissions, including the ability to write to external storage and install, update, or delete arbitrary apps on infected Android devices running Android 8 and later. "The ENFORCE_UPDATE_OWNERSHIP permission restricts app updates to the app's designated owner. The initial installer of an app can declare itself the 'update owner,' thereby controlling updates to the app," Cyfirma noted. "This mechanism ensures that…Read More