Fake Telegram Premium App Spreads Dangerous FireScam Malware on Android

Fake Telegram Premium App Spreads Dangerous FireScam Malware on Android

Android Users Targeted by ‘FireScam’ Malware Through Fake Telegram Premium App

A sophisticated new Android malware called ‘FireScam’ has emerged, masquerading as Telegram’s premium version on counterfeit RuStore websites hosted on GitHub. The malware exploits Russia’s alternative to Google Play and Apple’s App Store, which was launched in 2022 by VK following Western sanctions.

According to Cyfirma researchers, the infection chain begins with a dropper module (GetAppsRu.apk) that uses DexGuard obfuscation to avoid detection. The dropper requests permissions for app identification, storage access, and package installation before deploying the main payload disguised as ‘Telegram Premium.apk’.

Key Capabilities:
– Credential theft through fake Telegram login screens
– Real-time data exfiltration to Firebase database
– Persistent WebSocket connection for remote command execution
– Comprehensive monitoring of screen activity and app usage
– Interception of e-commerce transactions and financial data
– Collection of clipboard content and auto-filled information

The malware maintains sophisticated surveillance by tracking screen events lasting over 1,000 milliseconds and monitoring user interactions across applications. It systematically categorizes and transmits stolen data to attackers through a Firebase Realtime Database, where information is temporarily stored before being transferred elsewhere.

Security experts emphasize FireScam’s advanced evasion techniques and recommend users exercise caution when downloading applications or clicking unfamiliar links, particularly from unofficial sources.

Share This Article