FireScam Malware Exploits Telegram Premium App To Steal User Data

A new strain of Android malware, named FireScam, is targeting users by posing as a Telegram Premium application, as first reported by cybersecurity experts at CYFIRMA.

Through a phishing website designed to mimic RuStore, a popular app store in Russia, the malware uses sophisticated techniques to infiltrate devices, steal sensitive data, and evade detection.

The Hacker News reports that it is still unclear who the operators are, how users are directed to these links, or whether SMS phishing or malvertising techniques are involved.

The researchers note that FireScam is distributed through a GitHub.io-hosted phishing site that impersonates RuStore, tricking users into downloading a malicious APK. The fake app promises Telegram Premium features but instead deploys a multi-stage infection process.

It begins with a dropper APK that downloads and installs the FireScam malware, disguising it as a legitimate application. Once installed, FireScam conducts extensive surveillance on the infected device.

It captures sensitive data such as notifications, messages, and clipboard activity. The malware even monitors device interactions, including screen state changes and e-commerce transactions, providing attackers with valuable insights into user behavior.

FireScam relies on Firebase Realtime Database as part of its command-and-control system, which is essential for managing its malicious activities. This database acts as a storage space for the information the malware steals from infected devices.

Once the data is uploaded, the attackers sift through it to identify valuable pieces, such as sensitive personal details or financial information. Any data deemed unnecessary is deleted to avoid raising suspicion.

In FireScam’s case, using Firebase—a legitimate and widely used service—helps the malware blend in, making it harder for security tools to detect and block its activities. Firebase is also employed to deliver additional malicious payloads, allowing the attackers to maintain persistent control over compromised devices.

The malware employs obfuscation to conceal its intent and evade detection by security tools. It also performs environment checks to identify if it is running in an analysis or virtualized environment, further complicating efforts to track its activities.

By leveraging the popularity of widely used apps like Telegram and legitimate services like Firebase, FireScam highlights the advanced tactics employed by modern threat actors. The malware’s ability to steal sensitive information and maintain stealth poses a significant risk to both individual users and organizations.

Information Security Buzz (ISB) reports that Eric Schwake, Director of Cybersecurity Strategy at Salt Security, highlights the increasing sophistication of Android malware, exemplified by FireScam.

“Although using phishing websites for malware distribution is not a new tactic, FireScam’s specific methods — such as masquerading as the Telegram Premium app and utilizing the RuStore app store — illustrate attackers’ evolving techniques to mislead and compromise unsuspecting users,” said Schwake according to Dark Reading.

ISB reports that Schwake stresses the need for robust API security, as compromised devices can access sensitive data through mobile app APIs. Strong authentication, encryption, and continuous monitoring are essential to mitigate these risks.

To counter FireScam, the researchers at CYFIRMA suggest employing threat intelligence, robust endpoint security, and behavior-based monitoring. They also suggest using firewalls to block malicious domains and application whitelisting to prevent unauthorized executables.