| Category | Details |
|---|---|
| Threat Actors | Unknown (operators behind phishing site) |
| Campaign Overview | Android malware FireScam masquerades as Telegram Premium to steal data and maintain remote control over compromised devices. |
| Target Regions (Or Victims) | Users in Russia, targeted through phishing website mimicking RuStore. |
| Methodology | Multi-stage infection: dropper APK installs FireScam, which exfiltrates data and maintains persistent remote control. |
| Product Targeted | Fake Telegram Premium app |
| Malware Reference | FireScam Android malware |
| Tools Used | Dropper APK (“GetAppsRu.apk”), Firebase Realtime Database, WebView for phishing, WebSocket for C2 communication. |
| Vulnerabilities Exploited | Phishing distribution via fake RuStore app store, app permissions to prevent legitimate updates. |
| TTPs | Uses obfuscation, anti-analysis techniques, exfiltrates data, monitors notifications, e-commerce transactions, clipboard, and user activity. |
| Attribution | Unknown, but associated with Russian tech (RuStore) and a phishing campaign. |
| Recommendations | Be cautious of unofficial app stores and phishing sites, avoid granting unnecessary permissions to apps, verify app authenticity. |
| Source | The Hackers News |
Read full article: https://thehackernews.com/2025/01/firescam-android-malware-poses-as.html
The above summary has been generated by an AI language model
Leave a Reply