A new Android threat targeting users has been discovered by researchers. Known as FireScam, this malware primarily focuses on Russian users by masquerading as Telegram Premium.
FireScam Android Malware Disguised as Fake RuStore App
According to a recent report by cybersecurity company Cyfirma, a dangerous Android malware is actively spreading among Russian users. This malware possesses various malicious capabilities, including the ability to bypass security measures, stay persistent on infected devices, and steal sensitive data.
The malware, FireScam, is being distributed through phishing websites to deceive unsuspecting victims. It is mainly propagated through a fake RuStore app, a phishing site hosted on GitHub.io. By masquerading as Telegram Premium, the malware tricks users into downloading it.
Once the malicious app is downloaded, it installs a dropper APK that then fetches and deploys the FireScam payload. After installation, the malware establishes a persistent presence on the device and conducts various malicious activities such as extracting messages, notifications, and other data, monitoring screen changes, transactions, and clipboard activities, as well as using obfuscation techniques to avoid detection. It also employs tactics to identify emulators and virtual environments to evade detection.
Due to its spyware-like functionalities, the malware initially transfers stolen data to a Firebase Realtime Database endpoint, which is later filtered and moved to a private storage location.
FireScam is designed to impact a wide range of users, infecting devices running Android 8 up to the latest Android 15 versions.
Researchers have provided a detailed technical breakdown of the malware in their report.
To mitigate the risk posed by this malware, users are advised to be cautious when interacting with websites and refrain from engaging with unsolicited emails, messages, and unfamiliar URLs.
We welcome your thoughts and feedback in the comments section.
