Pierluigi Paganini January 03, 2025

FireScam malware steals credentials and financial data by monitoring Android app notifications and sending data to a Firebase database.

Cybersecurity firm Cyfirma warns of the FireScam Android info-stealing malware that supports spyware capabilities. The malicious code steals credentials and financial data by monitoring app notifications and sending the information to a Firebase database.

The malware is distributed as a fake ‘Telegram Premium’ APK via a phishing website hosted on the GitHub.io domain.

The website mimics the RuStore app store (an app store launched by the Russian internet group VK) and delivers a dropper that installs the FireScam malware posing as the Telegram Premium application.

The name of the package dropper is “ru.store.installer” and targets Android devices compatible with Android 8 to Android 15.

“The malware is disguised as a legitimate app to trick users into installing it, where it then steals sensitive information and exfiltrates data to Firebase C2 endpoint.” reads the report. “The exfiltrated data is temporarily stored in the Firebase Realtime Database at the URL “https[:]//androidscamru-default-rtdb[.]firebaseio[.]com” and is later removed after potentially filtering and storing the important content in another private storage location”

The dropper requests extensive permissions, such as app management, storage access, and updating or deleting apps without user consent.

The ENFORCE_UPDATE_OWNERSHIP permission allows an app to control its updates, blocking others and requiring user approval for external updates, aiding persistence.

Additional permissions requested by FireScam allow unrestricted background activity (exemption from battery optimization) and access notifications on the compromised device.

The malicious code implements obfuscation techniques, dynamic receiver access control, and sandbox detection mechanisms to avoid detection.

The app registers a service to receive Firebase Cloud Messaging (FCM) notifications. The MessagingService service is triggered when the app receives a push notification or message through Firebase.

The malware uses dynamic broadcast receivers with custom permissions, allowing only apps signed by attackers to access sensitive events or data, creating a backdoor for communication between the malicious app and other compromised apps.

The malware gathers sensitive device data, intercepts USSD responses, tracks user actions, monitors notifications, and targets e-commerce and app interactions.

“The analysis of FireScam reveals a sophisticated and multifaceted threat targeting Android devices. Disguised as a fake Telegram Premium app, this malware employs advanced evasion techniques – abusing legitimate services like Firebase and leverages phishing websites for distribution. Its capabilities to monitor diverse device activities, intercept sensitive information, and exfiltrate data to remote servers highlight its potential impact on user privacy and security.” concludes the report that includes Indicators of Compromise (IoCs). “As threats like FireScam continue to evolve, it is crucial for organizations to implement robust cybersecurity measures and proactive defense strategies.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)