New FireScam Android Malware Abusing Firebase Services To Evade Detection

FireScam is multi-stage malware disguised as a fake “Telegram Premium” app that steals data and maintains persistence on compromised devices and leverages phishing websites to distribute its payload and infiltrate Android devices.  

It is Android malware disguised as a fake Telegram Premium app distributed via a phishing website mimicking RuStore, which steals user data like notifications, messages, and clipboard content and exfiltrates it to the Firebase Realtime Database.

Technical Analysis

Exfiltrated data is initially stored in the Firebase Realtime Database at “https[:]//androidscamru-default-rtdb[.]firebaseio[.]com” before potential filtering and transfer to a private location.

The Firebase Realtime Database analysis revealed potential Telegram IDs of threat actors and malware users under the ‘users’ tag, while under the ‘app’ tag, the database exposed the URL of a phishing site hosting dropper malware. 

Phishing websites mimicking legitimate platforms like RuStore successfully distribute malware like FireScam, which exploits user trust to deliver malicious applications such as “Telegram Premium,” often evading detection through obfuscation techniques and advanced persistence mechanisms.

GetAppsRu.apk is a malicious dropper protected by DexGuard that queries installed apps and reads or writes external storage.

It installs or updates other apps without user consent and delivers FireScam malware disguised as Telegram Premium.apk on devices running Android 8 to 15.

FireScam utilizes NP Manager to obfuscate its core package ru.get.app, making reverse engineering difficult, and also employs empty class inheritance and process name verification to potentially evade sandbox detection. 

It is also capable of identifying virtualized environments by fingerprinting device details, which could potentially optimize its attack and allow it to circumvent security guards. 

An app using Firebase Cloud Messaging (FCM) can receive remote commands and exfiltrate data while maintaining persistent communication with a remote server, potentially bypassing security measures.

A malicious app exploits dynamic broadcast receivers with custom permissions to create a backdoor for communication and abuses the Firebase Realtime Database to exfiltrate sensitive device information, including device name, app name, notification text, and timestamps.

It stealthily installs and executes on the victim’s device by requesting critical permissions. It leverages Firebase for registration and attempts C2DM integration while initiating data exfiltration by accessing contacts, messages, and potentially other sensitive information.

According to Cyfirma, FireScam exfiltrates sensitive data from compromised devices to a Firebase C2 server using TLS-encrypted GET requests.

These requests, combined with a WebSocket upgrade, enable real-time bidirectional communication to facilitate data exfiltration and command-and-control operations.

An Android malware disguised as Telegram Premium uses Firebase for evasion and steals sensitive data by distributing through phishing websites.

It monitors device activity and exfiltrates information to remote servers, posing a significant threat to user privacy and security.

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free