A new Android malware, FireScam, is masquerading as a Telegram Premium app, stealing data and controlling devices. It's distributed through phishing sites mimicking RuStore, with the potential to compromise millions.
Key takeaways:
📲 Disguised as Telegram Premium: FireScam exploits the popularity of Telegram by posing as its premium version, tricking users into downloading it for enhanced features.
🔓 Data Exfiltration: Once installed, it seeks permissions to access personal data like contacts, messages, and call logs, forwarding this information to attackers.
🕵️♂️ Surveillance Features: Beyond data theft, FireScam monitors notifications, screen state changes, and even e-commerce transactions to gather more intelligence.
🔗 Phishing Distribution: It's spread via GitHub.io-hosted sites that falsely claim to be the RuStore App Store, a popular platform in Russia, to evade detection.
🔒 Persistent Control: The malware registers a service to receive commands via Firebase Cloud Messaging, allowing it to maintain covert access to the device.
iocs.txt: List of all Indicators of Compromise (IOCs) in the article.endpoint-iocs.txt: List of endpoint IOCs in the article.network-iocs.txt: List of network IOCs in the article.FireScam_Malware_Indicators.yar: YARA rule to detect or hunt for malware described in the article.mitre-attack-ttps.txt: List of MITRE ATT&CK techniques observed.
Note
Use the following scripts in threat-hunting-scripts to help you hunt:
verify-iocs-vt.py: Verify IOCs using VirusTotal Community API.
iocs-to-cs.py: Upload IOCs to CrowdStrike Falcon IOC Management for detection and blocking.