Avoid at all costs: this fake Telegram Premium clone app is a nasty malware

New year, new horror: there's a newly identified Android malware, dubbed ‘FireScam’; this one is being distributed as a sham version of the Telegram Premium app through phishing websites hosted on GitHub.

These websites imitate RuStore, Russia’s government-supported app marketplace, which was launched in 2022 as an alternative to Google Play and the Apple App Store in response to Western sanctions, a report by BleepingComputer reads.

According to cybersecurity experts, the phishing sites first deliver a malicious installer file named GetAppsRu.apk, known as a dropper module. A dropper is a type of software that acts as a delivery vehicle for malware. This file is obfuscated using a technique called DexGuard, designed to hide its true purpose and evade detection by security software. Once installed, the dropper requests permissions that allow it to analyze installed apps, access the device’s storage, and install additional files.

The dropper then deploys the main malware, disguised as Telegram Premium.apk, which requests extensive permissions to access notifications, clipboard data, SMS messages, and phone services. When executed, the app presents users with a fake login screen resembling Telegram's interface. This fraudulent screen captures users’ credentials and sends them to the attackers. Not fun, right?

FireScam communicates with a remote database using Firebase, a legitimate cloud platform. It uploads stolen data in real-time and registers devices with unique identifiers for tracking. The malware can also maintain persistent communication with Firebase to receive commands, download further malicious files, and adjust its surveillance activities.

Additionally, FireScam meticulously tracks user activity, such as screen changes and e-commerce transactions, aiming to steal sensitive financial information. It captures everything users type, copy, or interact with, including data autofilled by password managers or shared between apps. This information is sent to the attackers after being categorized for valuable content. Definitely not fun at all!

Researchers note FireScam’s sophisticated design and its use of advanced evasion techniques, making it particularly dangerous. While the identity of the attackers remains unknown, the report advises users to exercise caution when downloading apps, avoid files from untrusted sources, and refrain from clicking on unfamiliar links to minimize the risk of falling victim to such threats. You just need to do so.