Spyware
Infostealer
Explore an in-depth technical analysis of FireScam—a stealthy Android malware po...
**FireScam** is a recently identified Android malware that masquerades as a “Telegram Premium” application. Its distribution method leverages GitHub.io-based phishing sites impersonating the legitimate Russian **RuStore** app store, thereby deceiving unwary users into installing a bogus APK. With its **multifaceted spyware and information-stealing capabilities**, FireScam represents a crucial case study in modern mobile malware, demonstrating innovative evasion techniques, comprehensive data exfiltration processes, and persistent surveillance functionality.
This Threatfeed provides a **deeply technical** and **context-driven** analysis of FireScam, illustrating how it operates, spreads, and maintains control over compromised devices.
## **2. Threat Distribution and Infection Chain**
### **2.1 Phishing Website (GitHub.io)**
- **URL Impersonation**: FireScam is distributed through a GitHub.io-hosted website impersonating **RuStore** (a popular Russian app store).
- **Site Address**:
```
https://rustore-apk.github[.]io/telegram_premium/
```
- **User Deception**: The phishing site closely mirrors official app store styling, luring victims into downloading a malicious file named **GetAppsRu.apk**—which appears legitimate but is in fact a **dropper**.
### **2.2 Dropper APK: GetAppsRu.apk**
- **File Name**: `GetAppsRu.apk`
- **Hashes**:
- MD5: `5d21c52e6ea7769be45f10e82b973b1e`
- SHA-256: `b041ff57c477947dacd73036bf0dee7a0d6221275368af8b6dbbd5c1ab4e981b`
- **Technical Properties**:
- Protected using **DexGuard**, which obfuscates classes, methods, strings, and control flow.
- Requests extensive permissions, including `REQUEST_INSTALL_PACKAGES`, enabling it to install additional APKs without explicit user interaction.
- Disguised with the package name `ru.store.installer` to appear like a legitimate Russian application manager.
### **2.3 Main Payload: Telegram Premium.apk**
- **File Name**: `Telegram Premium.apk`
- **Hashes**:
- MD5: `cae5a13c0b06de52d8379f4c61aece9c`
- SHA-256: `12305b2cacde34898f02bed0b12f580aff46531aa4ef28ae29b1bf164259e7d1`
- **Packaging Details**:
- Significantly smaller (around 3 MB).
- Protected with **NP Manager** (offers encryption and anti-analysis functionalities).
- Installs under the package name `ru.get.app`, masquerading as “Telegram Premium.”
> **Infection Flow**
> 1. **User visits** the phishing website.
> 2. **User downloads** the dropper (`GetAppsRu.apk`).
> 3. **Dropper launches** on the victim’s device and executes an “Install” function.
> 4. **Main payload** (`Telegram Premium.apk`) is silently installed.
> 5. **Malware sets up** monitoring, exfiltration, and anti-analysis routines.
---
## **3. Technical Analysis of FireScam**
### **3.1 Anti-Analysis and Evasion Mechanisms**
1. **Obfuscation**
- **DexGuard** & **NP Manager** transform class/method names into random or meaningless labels.
- Inherits from **empty classes** to confuse static analysis and hinder method-tracing.
2. **Sandbox Detection**
- **Checks runtime process** name for anomalies (typical of emulators like `test` or `sandbox`).
- **Profiles device** (build details, manufacturer, installed apps) to confirm a real device environment.
3. **Runtime Behavior Control**
- **Conditional Execution**: The malware modifies its behavior if it detects an analysis environment, possibly refraining from executing malicious routines to avoid detection.
### **3.2 Permissions and Potential Abuse**
- **`REQUEST_DELETE_PACKAGES`** & **`REQUEST_INSTALL_PACKAGES`**
- Permits removal or installation of other applications silently, aiding further compromise or removing security tools.
- **`WRITE_EXTERNAL_STORAGE` & `READ_EXTERNAL_STORAGE`**
- Enables the app to read or write files to the SD card, potentially exfiltrating data or saving malicious components.
- **`QUERY_ALL_PACKAGES`**
- Allows listing all installed apps for reconnaissance and potential exploitation paths.
- **`ENFORCE_UPDATE_OWNERSHIP`**
- Declares itself as the “update owner,” preventing legitimate sources from installing genuine updates over it.
### **3.3 Core Functional Modules**
FireScam focuses on **monitoring**, **data exfiltration**, and **persistent communication**:
1. **Firebase Cloud Messaging (FCM)**
- Registers for push notifications through **MessagingService**.
- Can receive commands to download further payloads or exfiltrate specific data sets.
2. **Dynamic Broadcast Receivers**
- **Restricted Access**: Only apps signed with the same certificate can communicate, enabling a private channel with other malicious modules.
3. **Firebase Realtime Database (C2 Channel)**
- **Data Endpoint**:
```
https://androidscamru-default-rtdb.firebaseio.com
```
- **WebSocket Upgrades**: Uses `Upgrade: websocket` for persistent real-time data exchange, allowing seamless command execution and data exfiltration.
---
## **4. Surveillance and Data Exfiltration Workflows**
### **4.1 System and Device Profiling**
Upon installation, FireScam executes:
1. **Initial Device Info Collection**
- Device model, manufacturer, OS version, locale.
- Sent to Firebase with “online” status, letting attackers verify newly infected devices.
2. **Continuous Environment Monitoring**
- Tracks changes in device configuration.
- Logs presence of antivirus or known security apps.
### **4.2 Notification Listener**
- **`NotifyListener`** Service
- Implements `NotificationListenerService` to intercept notifications from **all** apps (e.g., WhatsApp, Telegram, Viber, banking apps).
- Filters out “silent” or “ongoing” notifications; captures “alerting” or “conversation” types.
- Exfiltrates the entire notification payload (sender, message snippet, etc.).
> **Why This Matters**
> Attackers can glean personal communication, 2FA codes, and system warnings. This broad-level interception is a hallmark of advanced spyware.
### **4.3 Messages and USSD Monitoring**
- **SMS Content Extraction**
- Observes the **Messages** application to read inbound SMS.
- Tags logs with `appName: Messages` and uploads them to Firebase.
- **USSD Responses**
- Monitors `TelephonyManager.UssdResponseCallback` to track USSD session outcomes (used for balance checks, mobile money transfers).
- Logs success or failure codes, possibly capturing **sensitive financial** data.
### **4.4 Clipboard and Screen Activity**
- **Clipboard Logging**
- Hooks into `ContentInfoCompat` to capture:
- **Autofill** fields.
- **Clipboard** data (copied passwords, account numbers, etc.).
- **Shared text/URI** from other apps.
- **Screen State Monitoring**
- Listens for `SCREEN_ON` and `SCREEN_OFF` broadcasts.
- Logs active durations to ascertain user engagement.
- Potentially uses these timings to intensify data collection when the user is active.
### **4.5 E-commerce Transaction Tracking**
- **Purchase & Refund Events**
- Analyzes event types **`ecommerce_purchase`**, **`purchase`**, **`refund`**.
- Flags these for special logging and exfiltration, possibly targeting shopping or financial apps.
### **4.6 Potential to Download Additional Payloads**
- **Image Download & Decoding**
- The malware attempts to retrieve images from remote URLs.
- Could embed further malicious code (e.g., steganography), facilitating a secondary infection stage.
---
## **5. Behavioral Flow of FireScam**
1. **Installation & Initial Launch**
- Victim opens `GetAppsRu.apk` → Installs the **fake Telegram Premium**.
- On first run, FireScam requests various permissions.
2. **User Login Spoofing**
- Presents a **WebView** mimicking the official `web.telegram.org` interface.
- Collects any credentials entered, storing or sending them to Firebase.
3. **Background Surveillance**
- Registers with Firebase for push notifications.
- Begins capturing notifications, SMS, USSD, etc.
4. **Data Transmission**
- Bundles collected data and securely sends over a **TLS/WebSocket** session.
- The C2 server acknowledges and may issue new commands.
5. **Potential Secondary Payload Execution**
- If commanded, FireScam silently downloads additional components or updates itself, maintaining **long-term persistence**.
---
## **6. Indicators of Compromise (IOCs)**
| **S/N** | **Indicator** | **Type** | **Context** |
|:------:|:----------------------------------------------------------------------------------------------------------------|:--------:|:------------------------------|
| 1 | `5d21c52e6ea7769be45f10e82b973b1e` | File | Dropper (GetAppsRu.apk) |
| 2 | `b041ff57c477947dacd73036bf0dee7a0d6221275368af8b6dbbd5c1ab4e981b` | File | Dropper (GetAppsRu.apk) |
| 3 | `cae5a13c0b06de52d8379f4c61aece9c` | File | Telegram Premium.apk |
| 4 | `12305b2cacde34898f02bed0b12f580aff46531aa4ef28ae29b1bf164259e7d1` | File | Telegram Premium.apk |
| 5 | `https://s-usc1b-nss-2100[.]firebaseio[.]com/.ws?ns=androidscamru-default-rtdb&v=5&ls=*` | URL | C2 – Exfiltration |
| 6 | `s-usc1b-nss-2100[.]firebaseio[.]com` | Domain | C2 – Exfiltration |
| 7 | `https[:]//androidscamru-default-rtdb[.]firebaseio[.]com` | URL | C2 Endpoint Database |
| 8 | `https[:]//rustore-apk[.]github[.]io/telegram_premium` | URL | Phishing Website |
---
## **7. MITRE ATT&CK Framework Mapping**
| **Tactic** | **Technique** |
|---------------------------------|----------------------------------------------------------|
| **Initial Access (TA0027)** | T1660: Phishing |
| **Persistence (TA0028)** | T1624.001: Broadcast Receivers |
| **Privilege Escalation (TA0029)**| T1626.001: Device Administrator Permissions |
| **Defense Evasion (TA0030)** | T1628: Hide Artifacts <br>T1406: Obfuscated Files or Info <br>T1633: Virtualization/Sandbox Evasion |
| **Credential Access (TA0031)** | T1517: Access Notifications <br>T1414: Clipboard Data |
| **Discovery (TA0032)** | T1424: Process Discovery <br>T1426: System Info Discovery|
| **Collection (TA0035)** | T1517: Access Notifications <br>T1414: Clipboard Data <br>T1513: Screen Capture |
| **Command and Control (TA0037)**| T1437.001: Web Protocols <br>T1521: Encrypted Channel |
| **Exfiltration (TA0036)** | T1646: Exfiltration Over C2 Channel |
---
## **8. YARA Rule for FireScam Detection**
```yara
rule FireScam_Malware_Indicators {
meta:
description = "Detects FireScam malware based on file hashes, URLs, and network indicators"
author = "Cyfirma Research"
last_modified = "2024-12-25"
strings:
// MD5 Hashes
$md5_1 = "5d21c52e6ea7769be45f10e82b973b1e" ascii
$md5_2 = "cae5a13c0b06de52d8379f4c61aece9c" ascii
// SHA256 Hashes
$sha256_1 = "b041ff57c477947dacd73036bf0dee7a0d6221275368af8b6dbbd5c1ab4e981b" ascii
$sha256_2 = "12305b2cacde34898f02bed0b12f580aff46531aa4ef28ae29b1bf164259e7d1" ascii
// URLs
$url_1 = "https://androidscamru-default-rtdb.firebaseio.com" ascii
$url_2 = "https://s-usc1b-nss-2100.firebaseio.com/.ws?ns=androidscamru-default-rtdb&v=5&ls=" ascii
$url_3 = "https://rustore-apk.github.io/telegram_premium/" ascii
condition:
// Match on either hash or URL indicators
($md5_1 or $md5_2 or $sha256_1 or $sha256_2) or
($url_1 or $url_2 or $url_3)
}
```
---
## **9. Defensive Recommendations**
1. **Endpoint Security and Monitoring**
- Deploy **antimalware** solutions on mobile endpoints.
- Implement **host-based intrusion detection** (HIDS/HIPS).
- Continuously monitor system logs for unusual processes or network requests.
2. **Network-Level Controls**
- **NIDS/NIPS**: Inspect traffic for suspicious patterns or known malicious signatures.
- **Web Application Firewalls (WAFs)**: Block access to malicious GitHub.io pages and Firebase endpoints if detected malicious.
3. **Application Whitelisting**
- Restrict installations to apps from **official app stores**.
- Use **enterprise mobile management** (EMM) solutions to limit user’s ability to install unknown APKs.
4. **Patching and Vulnerability Assessments**
- Regularly update the OS and all installed applications.
- Conduct **penetration tests** to uncover misconfigurations or weak security policies.
5. **User Awareness and Training**
- Educate users about **phishing tactics** and suspicious links.
- Encourage verification of official app stores and developers.
- Foster a security-first culture to reduce the success rate of social engineering.
6. **Incident Response Preparedness**
- Develop an **IR plan** that outlines isolation measures for compromised devices.
- Maintain an up-to-date **threat intelligence** feed to proactively block known malicious indicators.
---
FireScam exemplifies a **highly advanced** Android malware strain adept at **bypassing security barriers**, conducting **real-time surveillance**, and **stealing sensitive user data** through covert channels. Its dual distribution approach—**phishing website** plus **dropper APK**—shows the **evolving sophistication** of mobile threat actors and underscores the **need for layered security**. By diligently applying **robust endpoint protections**, **network filtering**, **user education**, and **timely updates**, individuals and organizations can **thwart** FireScam’s infiltration and mitigate potential harm.
> **Final Takeaway**: As Android malware matures, blending social engineering with advanced evasion, **proactive security measures** and **continuous monitoring** become non-negotiable. FireScam’s cunning approach—disguised as a trusted app and enhanced by legitimate cloud services—demonstrates how crucial it is to remain **vigilant** and **updated** on emerging threats in the mobile landscape.
---
### **Additional Resources**
- **Mobile Security Best Practices**: [Android Security Center](https://source.android.com/security)
- **DexGuard and NP Manager**: Official vendor documentation on obfuscation techniques
- **Firebase Security Rules**: [Firebase Docs](https://firebase.google.com/docs/rules)
> **Disclaimer**: This technical writeup is intended solely for **educational** and **defensive** security purposes. All research is based on publicly available or ethically sourced information. Always comply with **legal** and **ethical** guidelines when analyzing malware.
