www.cyfirma.com Open in urlscan Pro
2606:4700:10::ac43:18d6  Public Scan

URL: https://www.cyfirma.com/research/inside-firescam-an-information-stealer-with-spyware-capabilities/
Submission: On January 03 via manual from US — Scanned from ES

Form analysis 0 forms found in the DOM

Text Content

 * Company
 * Products
   
   PRODUCTS
   
    * DeCYFIRThreat Visibility and Intelligence
    * DeTCTDigital Risk Discovery
    * DeFNCECyber Defence Mobile App

 * Partners
   
   PARTNERS
   
    * Channel Partners
    * Technology Partners

 * Resources
   
   RESOURCES
   
    * Research
    * Blogs
    * Newsroom
    * Datasheets
    * Whitepapers
    * Case Studies

 * Get Started
 * Contact Sales

 * Global (English)


 * Global (English)


INSIDE FIRESCAM : AN INFORMATION STEALER WITH SPYWARE CAPABILITIES



Published On : 2024-12-30
Share :
 * 
 * 
 * 




EXECUTIVE SUMMARY

At CYFIRMA, we are dedicated to providing current insights into prevalent
threats and the strategies employed by malicious entities targeting both
organizations and individuals. This report explores the mechanics of FireScam, a
sophisticated Android malware masquerading as a Telegram Premium app. Through
in-depth analysis, we aim to shed light on its distribution methods, operational
features, and the broader implications of its malicious activities. The findings
highlight the malware’s capabilities and the critical need for robust security
measures to counteract such threats.


INTRODUCTION

The rapid adoption of mobile applications has created fertile ground for threat
actors to exploit unsuspecting users. FireScam is a recent example of malware
that leverages phishing websites to distribute its payload and infiltrate
Android devices. Disguised as a fake “Telegram Premium” app, it is distributed
through a GitHub.io-hosted phishing site that impersonates RuStore – a popular
app store in the Russian Federation. The malware employs a multi-stage infection
process, starting with a dropper APK, and performs extensive surveillance
activities once installed. By capitalizing on the widespread usage of popular
apps and legitimate services like Firebase, FireScam exemplifies the advanced
tactics used by modern malware to evade detection, execute data theft, and
maintain persistent control over compromised devices. This report provides an
in-depth analysis of FireScam’s distribution, functionality, and impact.


KEY FINDINGS

 * FireScam is an information stealing malware with spyware capabilities.
 * It is distributed as a fake ‘Telegram Premium’ APK via a phishing website
   hosted on the GitHub.io domain, mimicking the RuStore app store.
 * The phishing website delivers a dropper that installs the FireScam malware
   disguised as the Telegram Premium application.
 * The malware exfiltrates sensitive data, including notifications, messages,
   and other app data, to a Firebase Realtime Database endpoint.
 * FireScam monitors device activities such as screen state changes, e-commerce
   transactions, clipboard activity, and user engagement to gather valuable
   information covertly.
 * Captures notifications across various apps, including system apps, to
   potentially steal sensitive information and track user activities.
 * It employs obfuscation techniques to hide its intent and evade detection by
   security tools and researchers.
 * FireScam performs checks to identify if it is running in an analysis or
   virtualized environment.
 * The malware leverages Firebase for command-and-control communication, data
   storage, and to deliver additional malicious payloads.
 * Exfiltrated data is temporarily stored in the Firebase Realtime Database,
   filtered for valuable content, and later removed.
 * The Firebase database reveals potential Telegram IDs linked to the threat
   actors and contains URLs to other malware specimens hosted on the phishing
   site.
 * By exploiting the popularity of messaging apps and other widely used
   applications, FireScam poses a significant threat to individuals and
   organizations worldwide.


ETLM ATTRIBUTION

FireScam is an information-stealing malware with spyware capabilities targeting
Android-based devices. It is capable of monitoring a wide range of activities on
the compromised device, including notifications, messages, USSD responses,
clipboard content, and more. Additionally, it can exfiltrate the captured
details to remote servers via Firebase Realtime Database, allowing attackers to
access sensitive information.

FireScam malware is distributed as a fake ‘Telegram Premium’ APK through a
website hosted on the github[.]io domain. This website is a phishing attempt
mimicking RuStore (rustore.ru), an app store launched by Russian internet group
VK, based in the Russian Federation. The malware is disguised as a legitimate
app to trick users into installing it, where it then steals sensitive
information and exfiltrates data to Firebase C2 endpoint.



https[:]//rustore-apk[.]github[.]io/telegram_premium/

An APK is downloaded from this phishing website, acting as a dropper that
subsequently installs the FireScam malware, disguised as the “Telegram Premium”
application.

The exfiltrated data is temporarily stored in the Firebase Realtime Database at
the URL “https[:]//androidscamru-default-rtdb[.]firebaseio[.]com” and is later
removed after potentially filtering and storing the important content in another
private storage location:





Exfiltrated content from compromised device on firebase database endpoint

This Firebase Realtime Database also reveals potential Telegram IDs used by the
members of the threat actor group and/or the users of the malware under the
‘users’ tag:



Potential telegram IDs of the members of the threat actor group/ malware users

This database also contains the URL of the phishing website that downloads the
first stage (dropper) malware under the ‘app’ tag, which further reveals the
location of another malicious specimen (CDEK) on the same phishing site:



Malicious app reference

At the time of writing, the CDEK app, as mentioned in the Firebase Realtime
Database, is not available at the specified URL.

Threat Landscape:
The threat landscape in which FireScam operates underscores the growing success
probability of phishing websites in distributing malware. By mimicking
legitimate platforms such as the RuStore app store, these malicious websites
exploit user trust to deceive individuals into downloading and installing fake
applications, like “Telegram Premium.” The success rate of such phishing schemes
is high, as users often fail to recognize the signs of phishing or malicious
intent.

With the ability to distribute malware through seemingly legitimate channels,
these phishing websites increase the likelihood of users falling victim to
social engineering tactics. Once installed, FireScam carries out its malicious
activities, including data exfiltration and surveillance, further demonstrating
the effectiveness of phishing-based distribution methods in infecting devices
and evading detection. Attackers are leveraging innovative methods to bypass
security measures, such as using obfuscation techniques to evade detection by
static analysis tools and employing advanced persistence mechanisms.
Additionally, the rise of mobile malware targeting both personal and enterprise
devices underscores the importance of robust cybersecurity strategies to protect
sensitive data and maintain operational integrity in an ever-evolving digital
environment.


ANALYSIS OF FIRESCAM

The Dropper File Name GetAppsRu.apk File Size 5.15 MB (54,02,718 bytes) MD5
5d21c52e6ea7769be45f10e82b973b1e SHA-256
b041ff57c477947dacd73036bf0dee7a0d6221275368af8b6dbbd5c1ab4e981b Signature
Status Valid APK signature Trust Level Not signed by a trusted or recognized
certificate authority

This specimen (GetAppsRu.apk) is a dropper that acts as a delivery agent for the
primary payload. It is protected by DexGuard, which is used to rename classes,
methods, and fields with meaningless names. Additionally, it encrypts strings
within the APK and modifies the application’s control flow to make it harder to
analyze:



Protected using DexGuard

The dropper’s package name is “ru.store.installer”, and it is targeting devices
running Android 8 (API level 26) through Android 15 (API level 35):



Target android versions

it (GetAppsRu.apk) requests a series of permissions:



Permissions: primary specimen

The APK declares the QUERY_ALL_PACKAGES permission, enabling it to query and
list all installed applications on the device, potentially for reconnaissance
purposes. The WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE permissions, both
restricted and marked as sensitive, indicate the app’s ability to access and
modify external storage, which could lead to data exfiltration or the storage of
malicious files.

The REQUEST_DELETE_PACKAGES and REQUEST_INSTALL_PACKAGES permissions enable the
APK to install and delete other applications, suggesting the potential for
unauthorized app installations or deletions. Additionally, the
UPDATE_PACKAGES_WITHOUT_USER_ACTION permission further escalates the threat by
allowing updates without user consent, potentially facilitating malware
persistence and propagation.

The ENFORCE_UPDATE_OWNERSHIP permission restricts app updates to the app’s
designated owner. The initial installer of an app can declare itself the ‘update
owner,’ thereby controlling updates to the app. This mechanism ensures that
update attempts by other installers require user approval before proceeding. By
designating itself as the update owner, a malicious app can prevent legitimate
updates from other sources, thereby maintaining its persistence on the device.

DROPPER’S DYNAMICS:

The dropper installs as ‘GetAppsRu’. Clicking the app’s icon launches the
BaseActivity of the dropper, which presents an ‘Install’ option for ‘Telegram
Premium’ – the main payload contained in its resources as ‘child.apk’:



Dropper’s BaseActivity

Following the security warning, it installs the FireScam malware (child.apk) on
the device from its resource, using the app name ‘Telegram Premium’:



Installation of FireScam

FireScam File Name Telegram Premium.apk File Size 3.03 MB (3175196 bytes) MD5
cae5a13c0b06de52d8379f4c61aece9c SHA-256
12305b2cacde34898f02bed0b12f580aff46531aa4ef28ae29b1bf164259e7d1 Signature
Status Valid APK signature Trust Level Not signed by a trusted or recognized
certificate authority

The main payload, Telegram Premium.apk (ru.get.app), targets devices running
Android 8 (API level 26) through Android 15 (API level 35):



Target android versions

DEFENSE/ANTI-ANALYSIS CAPABILITIES:

FireScam employs protection using NP Manager, which safeguards the core package
ru.get.app against analysis and reverse engineering through encryption,
obfuscation, hiding details, and confusion.



Protecting core package with NP Manager

Another obfuscation technique it employs is the creation and inheritance of
empty classes:



obfuscation pattern: inheritance of empty classes

The malware identifies the process name at runtime, which could potentially be
used to determine whether the application is running in a sandbox environment
(e.g. under a different process) or on a real device.



Verifies process name

It can verify whether the process name is unusual, such as in an emulator or
under specific analysis tools. This helps the APK decide whether to run normally
or behave differently, for example avoiding malicious behavior if detected
within a sandbox or debugging environment.

The malware analyzes the environment by checking installed applications and
fingerprinting key device details, such as the model, manufacturer, build
version, and other system properties. This enables it to determine whether it is
running in a controlled or virtualized environment, helping it evade detection
or analysis. By profiling the device, the malware can optimize its attack, adapt
its behavior to the specific environment, and bypass security measures, ensuring
the success of its operations. This technique is commonly employed in advanced
persistent threats (APTs) or spyware, which seek to remain undetected while
gathering intelligence from targeted users.



Device fingerprinting



Checking installed apps

KEY ACTIONS:

Listens for Firebase push notifications:
The app registers a service to receive Firebase Cloud Messaging (FCM)
notifications. When the app receives a push notification or message through
Firebase, the service (MessagingService) is triggered. The action
com.google.firebase.MESSAGING_EVENT is a special event used by Firebase to
initiate the service whenever a new message (push notification) is delivered via
FCM.



Firebase Cloud Messaging (FCM) notifications service

It can be used for various purposes – such as receiving remote commands to
execute specific actions based on instructions sent via Firebase push
notifications and can additionally enable the silent delivery of malicious
payloads, which can be downloaded and installed when triggered by Firebase
notifications. The app can also exfiltrate sensitive data from the device to a
remote server without the user’s awareness, maintaining continuous communication
with the remote server even when the app is not actively in the foreground. This
persistent communication makes it more difficult for security tools to detect
malicious activity, allowing the app to evade detection by operating covertly
and bypassing traditional security measures.

Exploits Dynamic Broadcast Receivers:
The registered dynamic receiver defines a custom permission to control access,
ensuring that only apps signed with the same certificate can interact with it.
This setup could allow an attacker to gain restricted access to sensitive device
events or data by controlling the dynamic broadcast receiver. Only apps signed
by the attacker would be able to interact with the receiver, effectively
creating a backdoor for communication between the malicious app and other
compromised apps.



Dynamic receiver with restricted access

Abuse of firebaseio.com for Data Exfiltration:
FireScam abuses Firebase Realtime Database to exfiltrate key details and stolen
data:



Code snippet: Firebase Database URL Construction and Validation

The Firebase Project ID is stored in the strings.xml file under resources and is
used to construct the complete URL where the data is exfiltrated:



The strings.xml file also contains the firebase_database_url, google_api_key,
and app_id:



Snippet: strings.xml

Initial Device Information Exfiltration:
Upon installation and startup, the malicious app immediately sends sensitive
device information to a Firebase Realtime Database URL. This initial
communication includes details about the compromised device, such as the device
name, app name, notification text, and the date and time of the event:



Initial information exfiltration

Messages Exfiltration:
The malware monitors the activity of the Messages app on the compromised device
and exfiltrates the content of text messages. It tags the exfiltrated data with
the label “appName: Messages” to indicate the source app, sending data to a
designated Firebase Realtime Database URL. By continuously monitoring and
exfiltrating message content, the malware enables attackers to access sensitive
communication data from the device, facilitating further surveillance and data
theft:



Message exfiltration

Monitors screen state changes:
The malware monitors screen state changes on the compromised device by listening
for specific broadcast intents related to the screen’s on/off status. When the
screen is turned on (android.intent.action.SCREEN_ON), it captures the event and
logs it, tagging the notification with the app’s name. Similarly, when the
screen is turned off (android.intent.action.SCREEN_OFF), it detects the state
change and logs the corresponding event. The captured data, such as the event
type (screen on or off) and the app name, is then sent to the Firebase real-time
database for further processing or surveillance. This behavior allows the
attacker to track when the device is in use, enabling more targeted actions
based on screen activity:



Code snippet: screen monitoring

Notification Monitoring:
The NotifyListener service, implemented as a subclass of
NotificationListenerService, monitors device notifications based on criteria
defined in the AndroidManifest.xml. Notifications categorized as “conversations”
or “alerting” are processed, while “ongoing” or “silent” notifications are
ignored. The class includes an array (f6318r) listing package names for specific
apps like Telegram, WhatsApp, Viber, and VK. However, this array is not used in
the provided code, suggesting that app-specific filtering was either planned but
not implemented or omitted.



Code snippet: notification monitoring

As a result, the malware does not restrict itself to monitoring notifications
from these specific apps but instead captures all notifications that meet the
general filters. This broad monitoring capability enables the malware to
potentially access sensitive information across various apps, leveraging
notification data for malicious purposes.

Additionally, the app requests the BIND_NOTIFICATION_LISTENER_SERVICE
permission, granting it access to all notifications on the device. This is a
common tactic used by malicious apps to monitor or collect sensitive data from
other applications. By capturing notifications from multiple apps, the malware
can intercept messages, call alerts, and track user activities, such as logins
and system events. This compromises user privacy and can facilitate targeted
attacks, such as phishing or unauthorized data collection. Since the service
processes all notifications, the malware can silently observe sensitive
information without the user’s knowledge or consent, making detection and
mitigation more challenging.

The inclusion of obfuscation techniques, such as Protect.classesInit0(4),
highlights the app’s efforts to conceal its true intent, making it more
difficult to reverse-engineer. These techniques are commonly employed to obscure
the app’s functionality, hindering security analysis and decreasing the
likelihood of detection by security software or researchers.

USSD Response Handling and Data Logging:
The malware listens for USSD responses using the C0109c class, which extends
TelephonyManager.UssdResponseCallback. This class handles both successful and
failed USSD responses, logging the response data along with associated error
codes. The MessagingService retrieves the app name, which is included in the
logs to provide context:



Code snippet: USSD response monitoring

With elevated permissions, such as access to SMS and telephony services, the
malware exploits its functionality to silently intercept and log USSD responses,
which may include sensitive information like account balances, mobile
transactions, or network-related data. These logs are then exfiltrated to a
Firebase database, granting attackers remote access to the captured details
without the user’s knowledge.

Furthermore, the malware can track and manipulate USSD interactions, potentially
triggering malicious actions or commands. This covert behavior allows the
malware to bypass detection, steal sensitive data, and operate undetected by the
user.

Monitors Clipboard and Content Sharing Operations:
The ContentInfoCompat class logs detailed information about content being
processed, including text and URIs, while identifying the source of the content.
It categorizes the source into several types, such as:

 * Text Input: User-typed text or text selected from the interface.
 * Autofill: Automatically filled data, potentially including passwords or
   forms.
 * Clipboard: Content copied from other apps.
 * Drag and Drop: Content being moved by the user via drag-and-drop actions.
 * Input Method: Data entered through keyboard inputs.
 * App: Direct sharing from another application.

This logging capability enables the malware to capture and analyze data from
various sources, increasing the potential for exfiltrating sensitive
information.



Code snippet: content monitoring from different sources

This functionality enables the malware to track and log sensitive content from
various sources, including copied text, auto-filled passwords, and shared app
data. It can intercept private information such as login credentials, account
numbers, and personal messages, exfiltrating the data to a remote server. By
monitoring the content’s source and type, the malware can target specific user
actions or data for collection. Such behavior is characteristic of spyware and
information-stealing malware.

Monitoring User Engagement and Screen Exposure:
The malware tracks user engagement and screen exposure by monitoring the
duration the screen remains active and recording user interactions. During
initialization, it sets up variables to record the system’s current time and
configures necessary components. The method m4710a calculates the duration of
screen activity and user engagement. Events with screen exposure lasting less
than 1,000 milliseconds are ignored, while longer durations are logged as user
engagement. This data is then transmitted to the Firebase database for further
analysis or malicious use.



Code snippet: screen/ user activity monitoring

By monitoring user engagement, the malware can track how long a user interacts
with specific apps or content. It can also determine when the device is actively
in use, allowing the malware to collect data on user habits and interactions.
This functionality is commonly employed by spyware to covertly gather sensitive
information, enabling further malicious activities such as targeted ads, fraud,
or more intrusive surveillance.

Monitoring E-commerce Transactions:
The malware monitors and intercepts specific events, such as purchases or
refunds, by evaluating event types based on input parameters. It first checks if
the event type matches predefined values, such as “ecommerce_purchase”,
“purchase”, or “refund.” If a match is found, it returns true, indicating that
the event is of interest. If not, it queries a map (f7080w) associated with the
event name and checks if a corresponding Boolean value exists for the event
type. If the Boolean value is found and set to true, the malware considers the
event valid and returns true:



Code snippet: e-commerce activity monitoring

This functionality is likely used by the malware to monitor and potentially
intercept user activities related to financial transactions, such as purchases
or refunds. By targeting these specific events, the malware can track user
behavior within e-commerce apps, potentially gathering sensitive information
such as transaction details and payment data.

Potential to Download Additional Payload:
The malware attempts to download and process image data from a specified URL:



Code snippet: download capability

This functionality allows the malware to download and decode images from a
remote server, potentially for malicious purposes such as exfiltrating data or
delivering payloads disguised as images. By leveraging Firebase Messaging or
other communication channels, the malware could receive images containing hidden
data or malware in encoded form, enabling covert data transfer or execution of
further attacks.

FIRESCAM’S DYNAMICS:

The dropper installs and executes the main payload (Telegram Premium),
initiating the ‘IntroActivity’ to display the welcome screen:



IntroActivity: welcome screen

Following this, the app requests permissions for Contacts, Phone, and Messages.
Meanwhile, it sends a POST request to Firebase to register the installation with
the unique ID ‘androidscamru’ at the URL
“https[:]//firebaseinstallations[.]googleapis[.]com/v1/projects/androidscamru/installations”.
This unique ID will be used for future operations, such as FCM.

It also sends a POST request to
“https[:]//android[.]apis[.]google[.]com/c2dm/register3”, attempting to register
the device for receiving push notifications through the Cloud to Device
Messaging (C2DM) service, which has since been deprecated.

FireScam requests additional permissions to allow unrestricted background
activity (exemption from battery optimization) and to access notifications on
the compromised device.



Requesting Permission

After obtaining all of the required permissions, it launches WebActivity, which
uses a WebView to display the login interface of the legitimate Telegram website
(web[.]telegram[.]org). The interface prompts the user to log in using their
telephone number:



WebVIew: Telegram login

Regardless of whether the user logs into the Telegram web interface presented
via WebView on the compromised device, the malware begins its data and
information-stealing process.

Spying and Exfiltration:
First, the malware notifies the threat actor by sending the device’s state (e.g.
“online”) along with details such as the date, time, device name, and identifier
text. This confirms the compromise and the active state of the malware:



Device current status on the Firebase real-time database

It monitors the activity of the Messages app on the device and uploads the
captured content to the Firebase Realtime Database as soon as it is retrieved:



Received message on the device



Stolen message on the Firebase real-time database

FireScam also monitors all notifications, captures the details, and exfiltrates
them to its Firebase C2 endpoint. The message shown above is captured by the
malware app through notification monitoring:



Message notification captured by malware (firebase C2 endpoint)

With its notification monitoring capabilities, FireScam can stealthily observe
and record system activities, trigger malicious actions in response to specific
events, evade detection by security software, and maintain persistence on the
compromised device.

FireScam also captures data and information from other applications, such as the
Phone app, Google Play Store, and others:



Captured missed call from Phone app (firebase C2 endpoint)



Captured Google Play warning (firebase C2 endpoint)



Captured data from Viber app (firebase C2 endpoint)

FireScam also monitors screen activity and uploads any significant findings to
the Firebase C2 endpoint:



Captured screen activity (firebase C2 endpoint)

All the malicious activities identified during the behavioral analysis
corroborate the findings from the code analysis, confirming the app’s
functionality, behavior, and capabilities. It also highlights the use of
legitimate services, such as Firebase, for malicious purposes, including data
exfiltration, command-and-control communication, and evasion of security
mechanisms.

NETWORK INSIGHTS:

The code and behavioral analysis reveal that FireScam captures data from the
compromised device, while network activity analysis confirms that the data is
exfiltrated to the Firebase C2 endpoint over a secure TLS connection.

The intercepted traffic reveals a GET request to the host
“s-usc1b-nss-2100[.]firebaseio[.]com”, with the value of the ‘ls’ parameter
differing in each request sent to the host:



Communication with firebase C2 endpoint

“Upgrade: websocket” indicates that the malware attempts to establish a
WebSocket connection with its C2 server. This enables real-time, persistent, and
bidirectional communication, allowing the malware to exfiltrate data, receive
commands, or download additional payloads efficiently. By using WebSocket, the
malware can maintain a continuous connection without the overhead of repeatedly
opening new HTTP requests, making its communication more stealthy and harder to
detect.

The decrypted content confirms the exfiltration of sensitive data/information:



Decrypted Payload


FIRESCAM CAPABILITIES

Analyzing FireScam provides valuable insights into its operational features.
Based on this analysis, the following points outline the capabilities of this
information-stealing malware:

 1.  Exfiltrates sensitive data to Firebase Realtime Database.
 2.  Monitors and captures notifications from various apps.
 3.  Uses WebView to display a fake Telegram login page to steal user
     credentials.
 4.  Monitors and captures USSD responses, stealing sensitive data like account
     balances.
 5.  Monitors clipboard and content shared between apps, stealing sensitive
     information.
 6.  Captures device state changes like screen on/off events.
 7.  Tracks e-commerce transactions, capturing sensitive financial data.
 8.  Monitors messaging apps and exfiltrates captured message.
 9.  Monitors screen activity, uploading significant events to the C2 server.
 10. Utilizes obfuscation techniques, dynamic receiver access control, and
     sandbox detection mechanisms to evade analysis and detection.
 11. It can listen for Firebase Cloud Messaging push notifications to trigger
     remote commands.


CONCLUSION

The analysis of FireScam reveals a sophisticated and multifaceted threat
targeting Android devices. Disguised as a fake Telegram Premium app, this
malware employs advanced evasion techniques – abusing legitimate services like
Firebase and leverages phishing websites for distribution. Its capabilities to
monitor diverse device activities, intercept sensitive information, and
exfiltrate data to remote servers highlight its potential impact on user privacy
and security.

As threats like FireScam continue to evolve, it is crucial for organizations to
implement robust cybersecurity measures and proactive defense strategies. Users
should exercise caution when opening files from untrusted sources or clicking on
unfamiliar links, particularly those promoting dubious software or content.
Additionally, employing strong cybersecurity practices – such as using reputable
antivirus software, keeping all software up to date, and staying vigilant
against social engineering attacks – can significantly enhance protection
against sophisticated malware like FireScam.


INDICATORS OF COMPROMISE

S/N Indicators Type Context 1 5d21c52e6ea7769be45f10e82b973b1e File
GetAppsRu.apk 2 b041ff57c477947dacd73036bf0dee7a0d6221275368af8b6dbbd5c1ab4e981b
File GetAppsRu.apk 3 cae5a13c0b06de52d8379f4c61aece9c File Telegram Premium.apk
4 12305b2cacde34898f02bed0b12f580aff46531aa4ef28ae29b1bf164259e7d1 File Telegram
Premium.apk 5
https://s-usc1b-nss-2100[.]firebaseio[.]com/.ws?ns=androidscamru-default-rtdb&v=5&ls=*
URL C2 – exfiltration 6 s-usc1b-nss-2100[.]firebaseio[.]com Domain C2 –
exfiltration 7 https[:]//androidscamru-default-rtdb[.]firebaseio[.]com URL C2
Endpoint Database 8 https[:]//rustore-apk[.]github[.]io/telegram_premium URL
Phishing website


MITRE ATT&CK TACTICS AND TECHNIQUES

No. Tactic Technique 1 Initial Access (TA0027) T1660: Phishing 2 Persistence
(TA0028) T1624.001: Broadcast Receivers 3 Privilege Escalation (TA00029)
T1626.001: Device Administrator Permissions 4 Defense Evasion (TA0030) T1628:
Hide Artifacts
T1628.002: User Evasion
T1406: Obfuscated Files or Information
T1633: Virtualization/Sandbox Evasion 5 Credential Access (TA0031) T1517: Access
Notifications
T1414: Clipboard Data
T1417: Input Capture 6 Discovery (TA0032) T1424: Process Discovery
T1418: Software Discovery
T1426: System Information Discovery
T1422: Internet Connection Discovery 7 Collection (TA0035) T1517: Access
Notifications
T1414: Clipboard Data
T1417: Input Capture
T1636: Protected User Data
T1513: Screen Capture 8 Command and Control (TA0037) T1437: Application Layer
Protocol
T1437.001: Web Protocols
T1521: Encrypted Channel
T1521.003: SSL Pinning
T1481: Web Services 9 Exfiltration (TA0036) T1646: Exfiltration Over C2 Channel


YARA RULES

rule FireScam_Malware_Indicators {
meta:
description = “Detects FireScam malware based on file hashes, URLs, and network
indicators”
author = “Cyfirma Research”
last_modified = “2024-12-25”

strings:
// MD5 Hashes
$md5_1 = “5d21c52e6ea7769be45f10e82b973b1e” ascii
$md5_2 = “cae5a13c0b06de52d8379f4c61aece9c” ascii

// SHA256 Hashes
$sha256_1 = “b041ff57c477947dacd73036bf0dee7a0d6221275368af8b6dbbd5c1ab4e981b”
ascii
$sha256_2 = “12305b2cacde34898f02bed0b12f580aff46531aa4ef28ae29b1bf164259e7d1”
ascii

// URLs
$url_1 = “https://androidscamru-default-rtdb.firebaseio.com” ascii
$url_2 =
“https://s-usc1b-nss-2100.firebaseio.com/.ws?ns=androidscamru-default-rtdb&v=5&ls=”
ascii
$url_3 = “https://rustore-apk.github.io/telegram_premium/” ascii

condition:
// Match on either hash or URL indicators
($md5_1 or $md5_2 or $sha256_1 or $sha256_2) or
($url_1 or $url_2 or $url_3)
}


RECOMMENDATIONS

 * Implement threat intelligence to proactively counter the threats associated
   with FireScam.
 * To protect the endpoints, use robust endpoint security solutions for
   real-time monitoring and threat detection such as Antimalware security suit
   and host-based intrusion prevention system.
 * Continuous monitoring of the network activity with NIDS/NIPS and using the
   web application firewall to filter/block the suspicious activity provide
   comprehensive protection from compromise due to encrypted payloads.
 * Configure firewalls to block outbound communication to known malicious IP
   addresses and domains associated with FireScam malware command and control
   servers.
 * Implement behavior-based monitoring to detect unusual activity patterns, such
   as suspicious processes attempting to make unauthorized network connections.
 * Employ application whitelisting to allow only approved applications to run on
   endpoints, preventing the execution of unauthorized or malicious executables.
 * Conducting vulnerability assessment and penetration testing on the
   environment periodically helps in hardening the security by finding the
   security loopholes followed by remediation process.
 * Use of security benchmarks to create baseline security procedures and
   organizational security policies is also recommended.
 * Develop a comprehensive incident response plan that outlines steps to take in
   case of a malware infection, including isolating affected systems and
   notifying relevant stakeholders.
 * Security awareness and training programs help to protect from security
   incidents such as social engineering attacks. Organizations should remain
   vigilant and continuously adapt their defenses to mitigate the evolving
   threats posed by FireScam malware.
 * Update security patches which can reduce the risk for potential compromise.

Back to Listing
 * 
 * 
 * 

 * Company
 * Solutions
 * Takedown Services
 * Products
 * Partners
 * Resources
 * Careers
 * Privacy Policy

SINGAPORE

Hong Leong Building, 16 Raffles Quay, Floor #09-01 & #10-01, Singapore 048581

INDIA

Goodworks Co work, Plot no 72 and 73, 3rd Floor, Akshay Tech Park, EPIP Zone,
Whitefield, Bangalore, Karnataka.

JAPAN

Otemachi One Tower, 6th Floor, 1-2-1 Otemachi, Chiyoda-ku, Tokyo, 100-0004
Tokyo, Japan

USA

1123 BROADWAY STE 301, NEW YORK, NY 10010

GERMANY

Opernplatz 14, 60313 Frankfurt am Main

SOUTH KOREA

10F, 373 Gangnam-daero, Seocho-gu, Seoul, Korea 06621

AUSTRALIA

Suite 20, 270 Blackburn Road, Glen Waverley, VIC, 3150

TAIWAN

9F, Second Building, No.96, Sec. 2, Zhongshan N. Rd., Taipei, Taiwan

VIETNAM

14th Floor, HM Town building, 412 Nguyen Thi Minh Khai, Ward 5, District 3, Ho
Chi Minh City

DUBAI

Unit JLT-PH2-RET-5, Cluster R, Jumeirah Lakes Towers, Dubai, UAE

Copyright CYFIRMA. All rights reserved.

×

Your iFrame Code