FireScam Malware Poses as Telegram Premium to Steal Data and Control Devices

A dangerous Android malware called FireScam is disguising itself as "Telegram Premium" to steal sensitive data and remotely control infected devices. Distributed via phishing sites mimicking legitimate platforms, FireScam demonstrates advanced techniques to evade detection and maintain control over devices.

  • FireScam pretends to be "Telegram Premium" and spreads through a phishing site hosted on GitHub.io.
  • Fake website mimics RuStore, a well-known app store in Russia, to trick users into downloading a malicious APK file called "GetAppsRu.apk."

  • The malware uses a multi-stage attack process, starting with a dropper APK to deliver the main malicious payload.
  • Steals sensitive data like notifications, messages, and app information, which is sent to a Firebase database.
  • Requests dangerous permissions, including control over app updates, which prevents users from installing legitimate updates.
  • Watches user activity, including e-commerce transactions, clipboard content, and screen changes, to gather more data.
  • Uses WebView to display a fake login page for Telegram, stealing user credentials and contact details.
  • Employs anti-detection techniques to evade security scans and maintain persistence on infected devices.
  • Connects to a command-and-control server to execute further malicious activities remotely.
  • Hosted alongside another malware "CDEK," potentially targeting package tracking services

FireScam is a sophisticated malware that exploits user trust by posing as a legitimate app like Telegram Premium. Its ability to steal sensitive data, maintain remote control, and evade detection makes it a significant threat. Protect yourself by avoiding APK downloads from unverified sources and staying vigilant against phishing websites. Ensure your devices are secured with Net Protector Antivirus to detect and block such threats effectively.