This 'FireScam' Malware Is Preying On Victims By Pretending To Be 'Telegram Premium' For Android

Android on fire

Another day, another threat. And the ever-evolving mobile ecosystem, there is no safe haven.

At least for those who are careless about installing apps they don't really know, or use services they don't really need. And this time, it's revealed that a novel information-stealing Android malware has been lurking on the internet, preying on unsuspecting victims, security researchers have warned.

The malware that's called 'FireScam', is an Android malware initially discovered by researchers from threat intelligence specialists Cyfirma.

And according to their report, the malware is particularly dangerous.

First of, it's described as "a sophisticated Android malware masquerading as a Telegram Premium app," and that upon installing it, it is able to exfiltrates sensitive data, including notifications, messages, and other app data.

But what makes it persistent and next-level dangerous is that, it can cleverly employs obfuscation techniques to evade detection.

Telegram Premium

The malware app has been noted as being distributed by way of a GitHub.io-hosted phishing site pertaining to be the genuine RuStore App Store, which targets people in Russia.

"By mimicking legitimate platforms such as the RuStore app store, these malicious websites exploit user trust to deceive individuals into downloading and installing fake applications," Cyfirma said.

This poor distributing approach means that the attackers aren't really desperate in seeking other distribution channel, or care about even trying to fool Google by masquerading the malware to some useless app. But this approach makes it able to pinpoint its targets.

"By exploiting the popularity of messaging apps and other widely used applications," the researchers said, "FireScam poses a significant threat to individuals and organizations worldwide."

Next, is the malware's feature that employs a multi-stage technique, which starts with a dropper mechanism, and ending up with data exfiltration.

"By capitalizing on the widespread usage of popular apps and legitimate services like Firebase," the threat intelligence report said.

"FireScam exemplifies the advanced tactics used by modern malware to evade detection, execute data theft, and maintain persistent control over compromised devices."

When it's able to exfiltrate sensitive data from its victims to a Firebase real-time database endpoint, FireScam then monitors device activities, including screen state changes, e-commerce transactions, clipboard activity, and user engagement.

In other words, FireScam is also pose a threat as being an on-device surveillance unit.

"As threats like FireScam continue to evolve, it is crucial for organizations to implement robust cybersecurity measures and proactive defense strategies," Cyfirma said.

Telegram Premium

FireScam can do this because the dropper app requests several permissions, including the ability to write to external storage and install, update, or delete arbitrary apps on Android devices running Android 8 and later.

"The ENFORCE_UPDATE_OWNERSHIP permission restricts app updates to the app's designated owner. The initial installer of an app can declare itself the 'update owner,' thereby controlling updates to the app," Cyfirma noted.

"This mechanism ensures that update attempts by other installers require user approval before proceeding. By designating itself as the update owner, a malicious app can prevent legitimate updates from other sources, thereby maintaining its persistence on the device."

The rogue Telegram Premium app, when launched, further seeks users' permission to access contact lists, call logs, and SMS messages, after which a login page for the legitimate Telegram website is displayed through a WebView to steal the credentials.

The data gathering process is initiated regardless of whether the victim logs in or not.

Telegram Premium

Android users can avoid FireScam by exercising caution when opening files from untrusted sources or clicking on unfamiliar links.

They should also use reputable antivirus software, keep all software up to date and stay vigilant against social engineering attacks.

Not to mention that it would be best to stick with apps on Google Play Store, since the vetting process is more strict than any other third-party Android app markets out there.

Published: 
07/01/2025