"Firescam": Infostealer disguises itself as a Telegram premium app
Phishing sites are trying to persuade Android users to install a fake Telegram premium app. An infostealer is lurking inside.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
In a current malware campaign, criminals are trying to trick unsuspecting victims on phishing sites into installing a fake Telegram premium app. However, the infostealer “Firescam” ends up on Android smartphones.
The IT researchers from Cyfirma describe the malware in a detailed analysis. “Firescam” is offered as a fake “Telegram Premium App” on a phishing page hosted on the GitHub.io domain, which imitates the look of RuStore – an app store from the Russian VK cosmos. Instead of premium functions in Telegram, however, there is an extensive data drain.
Installation with detours
According to the analysis, the phishing page first delivers an installer with the file name “GetAppsRu.apk” and a file size of around 5 MByte. This installs a package with the name “ru.store.installer”. A program icon with the name “GetAppsRu'” was also created. Tapping it starts the dropper, which offers to install Telegram Premium by tapping an “Install” button. After the security question whether users want to install this app displayed as “Telegram Premium”, the Firescam malware is installed. An installation package “Telegram Premium.apk” with a size of around 3 MB is executed for this purpose.
Videos by heise
Firescam contacts a command-and-control endpoint on Firebase and listens for Firebase Cloud Messaging (FCM) notifications. The malware also sends tapped data there. Among other things, the device data of the infected Android smartphone is sent initially after installation. The malware then monitors the Messages app, for example, and forwards the content of text messages, as well as the activation and deactivation of the cell phone screen. Fire scam sends certain notifications, such as those marked as conversations or alerts, to the control server; messages from the Telegram, WhatsApp, Viber, and VK apps in particular are on the Infostealer's list. The monitoring on infected devices is extremely extensive; the clipboard is also under observation, as are e-commerce transactions. The malware can load additional malicious functions.
However, Firescam also provides expected functions so as not to be noticed immediately: At startup, a dialog claims that Telegram premium functions are now accessible, only to then ask for further permissions and finally access the real Telegram website via Web View and offer to log in there. Regardless of whether victims enter real or false data here, the information transfer starts at this point and then sends the Telegram conversation data to the masterminds behind the malware.
At the end of the analysis, the IT researchers from Cyfirma also list indicators of compromise (IOCs), which interested parties can use to check whether they have malware installed and active.
Dangerous fake apps are not only lurking on external sites. At the end of last year, IT security researchers from Zscaler reported that they had discovered more than 200 malware-infected apps in Google's Play Store in the previous 12 months, which together amounted to almost eight million installations.
(dmk)
