Android Malware Spreads via Fake Telegram Premium App

An emerging Android malware, FireScam, is posing as a premium version of Telegram and spreading via phishing websites imitating RuStore, Russia's alternative app marketplace. Researchers at Cyfirma revealed the malware uses advanced techniques to steal user data.

FireScam is distributed through a fake GitHub-hosted RuStore page. RuStore was launched in May 2022 by VK with the Russian Ministry of Digital Development’s backing. It was developed as an alternative to Western app stores like Google Play and the Apple App Store.

The fake page delivers a dropper named GetAppsRu.apk, which uses DexGuard obfuscation to bypass detection and gain critical permissions. These permissions allow it to identify installed apps, access device storage, and install additional malware. Once the device is compromised, it downloads and installs the primary malware payload, Telegram Premium.apk.

Upon opening this app, the malware requests access to sensitive data such as notifications, clipboard, SMS, and telephony services. FireScam also begins to track screen activity and monitors e-commerce transactions.

The malware then initiates communication with a Firebase Realtime Database, temporarily storing stolen data before it’s exfiltrated to an unknown location. Using unique device identifiers, FireScam tracks compromised devices in real time.

Additionally, the malware maintains a WebSocket connection to a Firebase command-and-control server, giving the threat actors the ability to efficiently and stealthily extract data, give remote commands, and install additional payloads.

In recent and relevant news, it was discovered that an Android malware under the name of NGate had been stealing NFC (Near Field Communication) data with the aim of replicating payment cards and extracting funds from ATMs.

To minimize the risk of this threat, experts recommend that users avoid downloading apps from unverified sources and exercise caution when opening unfamiliar files or links.