A new Android malware called FireScam is being distributed through phishing websites hosted on GitHub, masquerading as a premium version of the Telegram app. These fraudulent sites mimic RuStore, Russia’s official mobile app marketplace, tricking users into downloading the malware. This incident highlights how cybercriminals exploit trusted platforms to deploy sophisticated threats.
RuStore was launched in May 2022 by Russian tech company VK (VKontakte) with support from the Ministry of Digital Development as an alternative to Google Play and Apple’s App Store. It was designed to provide Russian users access to mobile applications despite Western sanctions. Cybercriminals have taken advantage of RuStore’s credibility by creating phishing pages that distribute malware under the guise of legitimate applications. According to security researchers at CYFIRMA, attackers have set up a GitHub-hosted phishing page impersonating RuStore, delivering an initial malware payload named GetAppsRu.apk.
Once installed, the dropper module requests multiple permissions, allowing it to identify installed applications, access device storage, and install additional software. It then downloads and installs the primary malware payload, disguised as Telegram Premium.apk. This second-stage malware requests extensive permissions, enabling it to monitor notifications, read clipboard data, access SMS and call information, and track user activity.
FireScam displays a fake Telegram login page via WebView to steal user credentials. The malware then communicates with Firebase Realtime Database, where stolen data is uploaded in real time. Each infected device is assigned a unique identifier, allowing attackers to track it. According to CYFIRMA, the stolen data is temporarily stored in Firebase before being filtered and transferred to another location. FireScam maintains a persistent WebSocket connection with a Firebase-based command-and-control (C2) endpoint, allowing attackers to execute real-time commands, download and install additional payloads, modify surveillance settings, and trigger immediate data uploads.
FireScam continuously tracks various device activities, including screen on/off events, active app usage, and user interactions lasting over 1,000 milliseconds. One of its most concerning features is its focus on e-commerce transactions. The malware attempts to intercept sensitive financial data by logging keystrokes, tracking clipboard content, and extracting auto-filled credentials from password managers.
While the identity of FireScam’s operators remains unknown, CYFIRMA researchers describe it as a sophisticated and multifaceted threat that employs advanced evasion techniques. To minimize the risk of infection, users should avoid downloading apps from unverified sources, be cautious when clicking on unfamiliar links, download applications only from official platforms like Google Play or verified stores, and regularly review and restrict app permissions to prevent unauthorized data access. The rise of malware like FireScam underscores the growing need for cybersecurity awareness. Staying vigilant and adopting secure online practices is essential to protecting personal and financial data from evolving cyber threats.
 
 
 
 
 
 
 
 
