Full Report
An Android information stealing malware named FireScam has been found masquerading as a premium version of the Telegram messaging app to steal data and maintain persistent remote control over compromised devices. "Disguised as a fake 'Telegram Premium' app, it is distributed through a GitHub.io-hosted phishing site that impersonates RuStore – a popular app store in the Russian Federation,"
Analysis Summary
# Tool/Technique: FireScam Android Malware
## Overview
FireScam is an Android information-stealing malware that disguises itself as a "Telegram Premium" application. It is distributed via a phishing website impersonating the Russian app store, RuStore, with the goal of stealing sensitive data, harvesting notifications, and gaining persistent remote control over infected devices.
## Technical Details
- Type: Malware family
- Platform: Android (requires Android 8 and later for specific features like update ownership restriction)
- Capabilities: Information stealing, data exfiltration, remote control, persistent access maintenance, anti-analysis.
- First Seen: Not explicitly stated in the provided text, but part of a report from Cyfirma.
## MITRE ATT&CK Mapping
*Note: Specific mappings are inferred based on described capabilities/behaviors where precise IDs are not provided in the source.*
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Inferred, data sent to Firebase endpoint)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Mentioned using obfuscation)
- **TA0003 - Persistence**
- T1556 - Modify Authentication (Implied via persistence mechanism)
- **TA0001 - Initial Access**
- T1566 - Phishing (Via phishing site hosting the initial APK)
## Functionality
### Core Capabilities
- **Delivery:** Delivered via a dropper APK ("GetAppsRu.apk") hosted on a phishing site (`rustore-apk.github[.]io`) impersonating RuStore.
- **Data Theft:** Steals sensitive data, including notifications, messages, and general app data.
- **Surveillance:** Monitors incoming notifications, screen state changes, clipboard content, and e-commerce transactions.
- **Data Exfiltration:** Exfiltrates stolen data to a Firebase Realtime Database endpoint.
### Advanced Features
- **Update Ownership Persistence:** Exploits the `ENFORCE_UPDATE_OWNERSHIP` permission on Android 8+ to declare itself the "update owner" for the app. This prevents authorized updates from other sources, ensuring the malware maintains persistence by locking update control.
- **Image Downloading:** Capable of downloading and processing image data from a specified URL.
- **Anti-Analysis:** Employs various obfuscation and anti-analysis techniques to evade detection.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: `GetAppsRu.apk` (Dropper APK)
- Registry Keys: [Not applicable for Android context, or not provided]
- Network Indicators: Firebase Realtime Database endpoint (C2/Exfiltration destination - defanged)
- Behavioral Indicators: Requests permissions to write to external storage; attempts to restrict legitimate app updates; monitors notifications and clipboard; communicates with Firebase endpoints.
## Associated Threat Actors
- Associated with analysis conducted by Cyfirma. No specific threat actor group name is mentioned in the excerpt.
## Detection Methods
- Signature-based detection: (Implied, against the known APKs/hashes once identified)
- Behavioral detection: Monitoring for unusual permission usage, especially attempts to control application updates (`ENFORCE_UPDATE_OWNERSHIP`), elevated notification access, and data transmission to Firebase endpoints.
- YARA rules: [Not provided]
## Mitigation Strategies
- **Prevention:** Users should be discouraged from sideloading applications from non-official sources or phishing sites, especially when masquerading as desirable software (like Telegram Premium).
- **Hardening:** Regularly review application permissions granted to installed apps on Android devices.
- **Update Control:** Awareness regarding the `ENFORCE_UPDATE_OWNERSHIP` mechanism and how legitimate apps interact with system update processes.
## Related Tools/Techniques
- Information Stealers targeting Android (General category).
- Malware utilizing Firebase for C2 infrastructure.
- Social engineering tactics leveraging popular applications (Telegram).