Fake Telegram Premium App Serves as Gateway for FireScam Malware

Responsible downloading- This mantra should be everyone’s New Year resolution as FireScam malware disguises itself as a Telegram app.?

Plot of the scam

Telegram's premium edition is being spread through malicious GitHub websites that imitate RuStore, the Russian app platform launched in May 2022. The Russian App Store was launched by the internet group VK (VKontakte), as an alternative to Google Play and Apple’s App Store. RuStore is a compliant alternative to Google Play and Apple’s App Store, with support from the Russian Ministry of Digital Development.

The Infestation route

According to the threat researchers, the GitHub page, impersonated as RuStore, initiated the process by delivering the dropper - GetAppsRu.apk. The APK is maliciously hidden with DexGuard to avoid detection and gain easy access or permission to the installed apps, and storage in users’ phones.?

In the next step, it extracts and installs the main malware payload, ‘Telegram Premium.apk’. Once installed, the malware starts requesting permission to monitor notifications, clipboard data, texts, and call logs, among others.

What does FireScam do?

• Upon execution, FireScam shows a deceptive web view screen as a Telegram login page to steal user credentials.
• Uploads (in real-time) the stolen credentials to Firebase Realtime Database. Also, registers all unique identifiers of the hacked devices.
• Shifts the stored data to a different location without a trace.
• Executes real-time commands like requesting specific data, delivering additional payloads, and adjusting the surveillance parameters.
• Can monitor changes in screen activities, capturing on/off events, and e-commerce transactions.

FireScam Category

Considering the advanced evasion techniques of Firecam, leading external threat management company, Cyfirma, has tagged the malware as a "sophisticated and multifaceted threat".?

Pro Tips to Stay Safe:?

• Download apps responsibly even if you download them from verified stores like PlayStore, RuStore, or App Store.?
• Don’t click on random links to download your favorite apps.
• Check the domain name closely and the padlock symbol to ensure you are on a verified safe page.

Stay tuned to DataSpace Academy for more such new updates on the cybersecurity world.