A sophisticated Android malware called FireScam has been discovered impersonating Telegram Premium to steal sensitive user data and maintain remote control of infected devices.
Security researchers at Cyfirma found that cybercriminals are distributing the malware through a phishing website that mimics RuStore, a popular Russian app marketplace. The fake site delivers a malicious dropper application that subsequently installs the main FireScam payload.
Once installed, FireScam requests extensive device permissions and employs multiple techniques to maintain persistence. The malware can prevent legitimate app updates by declaring itself as the "update owner," forcing users to keep the compromised version.
The malware's capabilities include:
- Stealing notifications, messages and app data
- Monitoring screen activity and clipboard content
- Tracking e-commerce transactions
- Accessing contact lists, call logs and SMS messages
- Downloading and processing images from specified URLs
To appear legitimate, the fake Telegram Premium app displays the official Telegram website login page in a WebView to harvest credentials. However, the malware begins collecting data regardless of whether users log in.
FireScam uses Firebase Cloud Messaging to receive remote commands and maintains a WebSocket connection with command servers for data exfiltration. The malware employs various obfuscation methods to avoid detection by security tools.
While researchers have identified the malware's technical capabilities, the identity of the operators and their exact distribution methods remain unknown. The discovery highlights the growing sophistication of mobile malware that exploits trusted brands and platforms to compromise user devices.
Users are advised to only download apps from official sources and be cautious of websites impersonating legitimate app stores, even if they appear authentic.