Analysis Summary

FireScam, an Android information-stealing malware, has been discovered to pose as a premium Telegram messaging software in order to collect data and keep remote control of vulnerable devices for an extended period of time.

It is disseminated via a phishing website hosted on GitHub.io that mimics RuStore, a well-known app store in the Russian Federation and poses as a phony "Telegram Premium" app. It is characterized by researchers as a complex and multidimensional hazard. After being deployed, the malware conducts extensive surveillance operations and uses a multi-stage infection procedure that begins with a dropper APK.

To distribute a dropper APK file ("GetAppsRu.apk"), the phishing website in question, rustore-apk.github[.]io, imitates RuStore, an app store introduced by Russian internet giant VK in the nation. The primary payload, which is in charge of exfiltrating sensitive data, such as messages, notifications, and other app data, to a Firebase Realtime Database endpoint, is sent by the dropper after it has been installed. On infected Android devices running Android 8 and later, the dropper app asks for several rights, including the ability to install, update, and remove arbitrary programs as well as write to external storage.

Only the designated owner of the app can receive updates thanks to the ENFORCE_UPDATE_OWNERSHIP permission. An app's original installer has the ability to designate itself as the "update owner," which allows it to manage program updates. This feature makes sure that other installers' efforts to update must first be approved by the user. A rogue app might keep itself persistent on the device by claiming to be the updated owner and blocking legal updates from other sources.

To avoid detection, FireScam uses a variety of obfuscation and anti-analysis tactics. To collect relevant data, it also monitors incoming notifications, screen state changes, e-commerce transactions, clipboard content, and user activity. Its capability to download and process image data from a given URL is another noteworthy feature. After requesting users' consent to view contact lists, call logs, and SMS messages, the malicious Telegram Premium software uses a WebView to display the login screen for the official Telegram website and steal the login credentials. Whether or not the victim logs in, the process of collecting data is started.

As a final indication of the malware's extensive monitoring capabilities, it registers a service to receive Firebase Cloud Messaging (FCM) notifications, which enables it to receive remote commands and maintain covert access. To do follow-on and data exfiltration, the malware concurrently creates a WebSocket connection with its command-and-control (C2) server. According to the researchers, the malicious artifact CDEK, which is probably a reference to the shipment and delivery tracking service based in Russia, was also present in the phishing domain. The researchers, however, said that at the time of examination, they were unable to acquire the artifact.

Currently, it's unclear who the operators are, how users are sent to these links, and whether malvertising or SMS phishing is involved. These malicious websites take advantage of user trust to trick people into downloading and installing phony apps by imitating trustworthy platforms like the RuStore app store. The harmful actions that FireScam engages in, such as data exfiltration and surveillance, further illustrate how successful phishing-based distribution strategies are at infecting devices and avoiding detection.

Impact

• Information Theft
• Unauthorized Access
• Data Exfiltration

Indicators of Compromise

MD5

• 5d21c52e6ea7769be45f10e82b973b1e
• cae5a13c0b06de52d8379f4c61aece9c

SHA-256

• b041ff57c477947dacd73036bf0dee7a0d6221275368af8b6dbbd5c1ab4e981b
• 12305b2cacde34898f02bed0b12f580aff46531aa4ef28ae29b1bf164259e7d1

SHA1

• 88f45210b4af5f15544518a256a818f7c63cf89d
• 4efe9ea478a86b0eca8cb0e7e43236dc22e716a2

URL

• https://androidscamru-default-rtdb.firebaseio.com/
• https://rustore-apk.github.io/telegram_premium

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
• Conduct regular security awareness training for users to recognize and avoid phishing emails.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Implement network segmentation to limit lateral movement within the network.
• Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
• Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
• Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
• Regularly back up critical data and ensure that the backup copies are stored securely.