• FireScam Android Malware: How Fake Telegram Premium Apps Exploit Firebase for Stealth Attacks

  • Jan 9 2025
  • Length: 30 mins
  • Podcast

FireScam Android Malware: How Fake Telegram Premium Apps Exploit Firebase for Stealth Attacks

Listen for free

View show details

  • Summary

  • FireScam Android Malware: How Fake Telegram Premium Apps Exploit Firebase for Stealth Attacks

    FireScam employs several techniques to evade detection and maintain persistence on a device.
    • Disguise: The malware is distributed disguised as the "Telegram Premium" application, through a phishing website that mimics the legitimate RuStore application store. This disguise is intended to trick users into installing the malware, as they may believe they are installing a legitimate application.
    • Dropper: A dropper named ‘ru.store.installer’ is used to install FireScam on devices running Android 8 and newer. The dropper requests several permissions, including the ability to query and list all installed applications, access and modify external storage, delete and install applications, and update applications without user consent. These permissions allow it to install FireScam and maintain control over it.
    • Restricting App Updates: FireScam declares itself as the designated owner and restricts app updates to it, which prevents other installers from updating it, ensuring its persistence on the device. This prevents a user or another application from removing or replacing the malicious app with a legitimate version.
    • Background activity: FireScam requests permissions that allow it to run in the background without restriction. This allows it to continue to function and collect data without the user being aware of it.
    • Environment Checks: The malware checks process names at runtime, checks installed applications, and fingerprints the device to detect if it is running in a sandboxed or virtualized environment. This indicates that the malware is designed to avoid detection by security analysis tools.
    • Firebase Cloud Messaging (FCM): FireScam registers a service to check for FCM notifications, enabling it to receive commands from its command-and-control (C&C) server. It also defines permissions to control access to it, effectively creating a backdoor for communication between the malware and its components. This allows the malware to receive instructions and exfiltrate data without direct user interaction.
    In summary, FireScam uses a combination of disguise, a dropper, persistence mechanisms, background activity, environment checks and a communication backdoor to evade detection and maintain its presence on an infected device.

    ●Approov Website: approov.io
    ●OWASP Mobile Security Project: https://owasp.org/www-project-mobile-security-testing-guide/ This link provides information about mobile security testing, app security, and API channel integrity.
    ○OWASP Mobile Security Testing Guide: This is a key document from the OWASP Mobile Security Project, focusing on the development phase and identifying vulnerabilities in mobile app code.
    ○Mobile App Sec Verification Standard (MASVS): This document provides a security checklist for when an app is ready to be released and acts as a baseline for penetration testing. It also defines security verification levels for mobile apps.
    ●OWASP API Security Project: https://owasp.org/www-project-api-security/ This resource focuses on understanding and mitigating API vulnerabilities and security risks.
    ●OWASP Top 10: https://owasp.org/www-project-top-ten/ This resource is a standard awareness document for developers and web application security, highlighting critical security risks to web applications, many of which can be exploited via APIs.
    Show More Show Less
Show More Show Less

What listeners say about FireScam Android Malware: How Fake Telegram Premium Apps Exploit Firebase for Stealth Attacks

Average customer ratings

Reviews - Please select the tabs below to change the source of reviews.

Audible.co.uk reviews

Amazon reviews
No Reviews are Available