Cyber Security News

New FireScam Android Malware Abusing Firebase Services To Evade Detection

FireScam is multi-stage malware disguised as a fake “Telegram Premium” app that steals data and maintains persistence on compromised devices and leverages phishing websites to distribute its payload and infiltrate Android devices.  

It is Android malware disguised as a fake Telegram Premium app distributed via a phishing website mimicking RuStore, which steals user data like notifications, messages, and clipboard content and exfiltrates it to the Firebase Realtime Database.

Technical Analysis

Exfiltrated data is initially stored in the Firebase Realtime Database at “https[:]//androidscamru-default-rtdb[.]firebaseio[.]com” before potential filtering and transfer to a private location.

Potential telegram IDs of the members of the threat actor group/ malware users

The Firebase Realtime Database analysis revealed potential Telegram IDs of threat actors and malware users under the ‘users’ tag, while under the ‘app’ tag, the database exposed the URL of a phishing site hosting dropper malware. 

Phishing websites mimicking legitimate platforms like RuStore successfully distribute malware like FireScam, which exploits user trust to deliver malicious applications such as “Telegram Premium,” often evading detection through obfuscation techniques and advanced persistence mechanisms.

Exfiltrated content from compromised device on firebase database endpoint

GetAppsRu.apk is a malicious dropper protected by DexGuard that queries installed apps and reads or writes external storage.

It installs or updates other apps without user consent and delivers FireScam malware disguised as Telegram Premium.apk on devices running Android 8 to 15.

FireScam utilizes NP Manager to obfuscate its core package ru.get.app, making reverse engineering difficult, and also employs empty class inheritance and process name verification to potentially evade sandbox detection. 

It is also capable of identifying virtualized environments by fingerprinting device details, which could potentially optimize its attack and allow it to circumvent security guards. 

Device fingerprinting

An app using Firebase Cloud Messaging (FCM) can receive remote commands and exfiltrate data while maintaining persistent communication with a remote server, potentially bypassing security measures.

A malicious app exploits dynamic broadcast receivers with custom permissions to create a backdoor for communication and abuses the Firebase Realtime Database to exfiltrate sensitive device information, including device name, app name, notification text, and timestamps.

Requesting Permission

It stealthily installs and executes on the victim’s device by requesting critical permissions. It leverages Firebase for registration and attempts C2DM integration while initiating data exfiltration by accessing contacts, messages, and potentially other sensitive information.

According to Cyfirma, FireScam exfiltrates sensitive data from compromised devices to a Firebase C2 server using TLS-encrypted GET requests.

These requests, combined with a WebSocket upgrade, enable real-time bidirectional communication to facilitate data exfiltration and command-and-control operations.

An Android malware disguised as Telegram Premium uses Firebase for evasion and steals sensitive data by distributing through phishing websites.

It monitors device activity and exfiltrates information to remote servers, posing a significant threat to user privacy and security.

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free

Kaaviya

Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Recent Posts

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

1 day ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

1 day ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

1 day ago

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…

1 day ago

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a massive…

1 day ago

State Bar of Texas Confirms Data Breach, Begins Notifying Affected Consumers

The State Bar of Texas has confirmed a data breach following the detection of unauthorized…

1 day ago