Insights, news, education and announcements from PolySwarm

FireScam Android Malware

Written by The Hivemind | Jan 10, 2025 6:36:56 PM

Executive Summary

FireScam is a sophisticated Android malware family that is disguised as a Telegram Premium app. It has both infostealer and spyware capabilities.

Key Takeaways

  • FireScam is a sophisticated Android malware family that is disguised as a Telegram Premium app.
  • FireScam has both spyware and infostealer capabilities and can exfiltrate a victim’s data, including notifications, messages, and app data, to the C2. 
  • FireScam is capable of evading detection, using various obfuscation techniques. 
  • FireScam represents a significant threat to Android users, combining information stealing and spyware capabilities with sophisticated distribution and obfuscation techniques.

What is FireScam?

FireScam is a sophisticated Android malware family that is disguised as a Telegram Premium app. It has both infostealer and spyware capabilities. Cyfirma recently reported on FireScam.

FireScam is distributed using a phishing site hosted on GitHub. The site poses as RuStore, which is a popular app store for Russian Android users. FireScam uses a multi-stage infection chain that begins with a dropper APK. The malware conducts extensive surveillance after it is installed on the victim device. It has both spyware and infostealer capabilities. FireScam uses a fake Telegram login page to steal a user’s Telegram credentials. It can also monitor device activities, including changes in screen state, transactions, app notifications, the device’s clipboard, and user interactions. This allows FireScam to covertly steal sensitive data.

FireScam is capable of exfiltrating a victim’s data, including notifications, messages, and app data. The exfiltrated data is sent to the C2, which is a Firebase Realtime Database endpoint. The malware uses Firebase for C2, data storage, and delivery of follow-on payloads. According to researchers at Cyfirma, the Firebase Realtime Database used for C2 reveals Telegram IDs potentially linked to the threat actors behind the malware.

FireScam is capable of installing follow-on payloads and covert updates. FireScam can also evade detection, using various obfuscation techniques. FireScam uses NP Manager to protect its core package against analysis and reverse engineering. It uses the creation and inheritance of empty classes as a form of obfuscation. FireScam can also detect if it is being run in an analysis or virtual environment.

FireScam represents a significant threat to Android users, combining information stealing and spyware capabilities with sophisticated distribution and obfuscation techniques. PolySwarm analysts consider FireScam to be an emerging threat.  

IOCs

PolySwarm has a sample of FireScam.

 

12305b2cacde34898f02bed0b12f580aff46531aa4ef28ae29b1bf164259e7d1

 

You can use the following CLI command to search for all FireScam samples in our portal:

$ polyswarm link list -f FireScam

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post