Cyber Security News

New FireScam Android Malware Abusing Firebase Services To Evade Detection

FireScam is multi-stage malware disguised as a fake “Telegram Premium” app that steals data and maintains persistence on compromised devices and leverages phishing websites to distribute its payload and infiltrate Android devices.  

It is Android malware disguised as a fake Telegram Premium app distributed via a phishing website mimicking RuStore, which steals user data like notifications, messages, and clipboard content and exfiltrates it to the Firebase Realtime Database.

Technical Analysis

Exfiltrated data is initially stored in the Firebase Realtime Database at “https[:]//androidscamru-default-rtdb[.]firebaseio[.]com” before potential filtering and transfer to a private location.

Potential telegram IDs of the members of the threat actor group/ malware users

The Firebase Realtime Database analysis revealed potential Telegram IDs of threat actors and malware users under the ‘users’ tag, while under the ‘app’ tag, the database exposed the URL of a phishing site hosting dropper malware. 

Phishing websites mimicking legitimate platforms like RuStore successfully distribute malware like FireScam, which exploits user trust to deliver malicious applications such as “Telegram Premium,” often evading detection through obfuscation techniques and advanced persistence mechanisms.

Exfiltrated content from compromised device on firebase database endpoint

GetAppsRu.apk is a malicious dropper protected by DexGuard that queries installed apps and reads or writes external storage.

It installs or updates other apps without user consent and delivers FireScam malware disguised as Telegram Premium.apk on devices running Android 8 to 15.

FireScam utilizes NP Manager to obfuscate its core package ru.get.app, making reverse engineering difficult, and also employs empty class inheritance and process name verification to potentially evade sandbox detection. 

It is also capable of identifying virtualized environments by fingerprinting device details, which could potentially optimize its attack and allow it to circumvent security guards. 

Device fingerprinting

An app using Firebase Cloud Messaging (FCM) can receive remote commands and exfiltrate data while maintaining persistent communication with a remote server, potentially bypassing security measures.

A malicious app exploits dynamic broadcast receivers with custom permissions to create a backdoor for communication and abuses the Firebase Realtime Database to exfiltrate sensitive device information, including device name, app name, notification text, and timestamps.

Requesting Permission

It stealthily installs and executes on the victim’s device by requesting critical permissions. It leverages Firebase for registration and attempts C2DM integration while initiating data exfiltration by accessing contacts, messages, and potentially other sensitive information.

According to Cyfirma, FireScam exfiltrates sensitive data from compromised devices to a Firebase C2 server using TLS-encrypted GET requests.

These requests, combined with a WebSocket upgrade, enable real-time bidirectional communication to facilitate data exfiltration and command-and-control operations.

An Android malware disguised as Telegram Premium uses Firebase for evasion and steals sensitive data by distributing through phishing websites.

It monitors device activity and exfiltrates information to remote servers, posing a significant threat to user privacy and security.

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free

Kaaviya

Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Recent Posts

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its…

9 hours ago

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券), a…

10 hours ago

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series of…

10 hours ago

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive ransomware,…

10 hours ago

Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

In a recent cyberattack attributed to the Qilin ransomware group, threat actors successfully compromised a…

10 hours ago

Operation HollowQuill Uses Malicious PDFs to Target Academic and Government Networks

A newly uncovered cyber-espionage campaign, dubbed Operation HollowQuill, has been identified as targeting academic, governmental,…

10 hours ago