Cybersecurity researchers at Cyfirma have identified a sophisticated new Android malware strain dubbed “FireScam” targeting devices running Android versions 8 through 15. The malware, disguising itself as a premium version of Telegram messenger, is being distributed through counterfeit GitHub pages that mimic the RuStore application marketplace interface.
Infection Vector and Advanced Deployment Techniques
The infection chain begins when users download a dropper module (GetAppsRu.apk) from compromised GitHub.io pages. The malware employs sophisticated DexGuard obfuscation techniques to evade detection by conventional antivirus solutions. Upon installation, FireScam requests elevated system permissions, establishing a foothold on the victim’s device.
Technical Analysis and Data Exfiltration Methods
The primary payload, delivered as “Telegram Premium.apk,” implements a deceptive WebView-based authentication interface that closely resembles legitimate Telegram login screens. When users input their credentials, the malware immediately transmits this sensitive data to command-and-control servers through a persistent connection to Firebase Realtime Database.
Advanced Surveillance Capabilities
FireScam demonstrates sophisticated monitoring capabilities, including:
– Real-time clipboard data and notification interception
– SMS message and call log monitoring
– Application activity tracking (events exceeding 1000ms)
– Financial transaction and sensitive data interception
Command and Control Infrastructure
The malware maintains persistent WebSocket connections to Firebase infrastructure, enabling real-time command reception and execution. This sophisticated C2 architecture allows threat actors to dynamically adjust surveillance parameters and extract specific data sets on demand. Stolen information is temporarily stored in Firebase databases before extraction by the attackers.
To protect against FireScam and similar threats, security experts recommend implementing a multi-layered defense strategy. Users should exclusively install applications from official sources like Google Play Store, regularly review application permissions, maintain updated security patches, and employ reliable mobile security solutions. Organizations should also educate users about the risks of side-loading applications and implement mobile device management (MDM) solutions to prevent unauthorized app installations.
