A new virus is spreading under the guise of Telegram Premium: what you need to know and how to protect yourself

Judging by everything, Russian hackers have launched a malicious campaign aimed primarily against Russians themselves. However, users from other countries can also fall prey to it, as the virus spreads through GitHub, an international service for software developers.

What you need to know

A new malware called FireScam is spreading among Android smartphone users. It is presented as a supposedly premium version of the Telegram application for those who do not want to pay, but would like to have all the features of a paid subscription. Users can download the fake Telegram Premium from a page on GitHub that copies the design of the Russian app store RuStore, an analogue of the Play Market, reports 24 Kanal with reference to BleepingComputer.

RuStore was launched in May 2022 by the Russian company that now owns VKontakte. This was done in response to the introduction of Western sanctions that affected Russian users' access to mobile software, and with the support of the Russian government. RuStore hosts applications that comply with local legislation.

According to Cyfirma, a threat management research firm, the malware uses DexGuard to disguise its activities, avoiding detection by antivirus programs. The hidden code is granted permissions that help it identify installed applications, grant access to the device's memory, and install additional packages. The main application “Telegram Premium.apk” requests permissions to monitor notifications, clipboard data, SMS, telephony, and other services.

FireScam capabilities

After launching the fake Telegram, you will, of course, have to log in. Here, you enter your credentials, which are immediately sent to the hackers. FireScam establishes a connection to the Firebase database in real time, and also pulls data from your real Telegram account. Your device is registered in the system with unique identifiers. Everything contained in your conversations and storages is now available to attackers.

Cyfirma reports that stolen data is stored in the database only temporarily and then deleted. Presumably, this is done after the hackers go through all the content and messages for anything valuable and interesting. If this is not the case, it makes no sense for them to store all this information, clogging up the memory on their server. However, if they find something interesting, the fate of the victim may be completely different.

• The malware also opens a persistent connection to the Firebase C2 endpoint to execute real-time commands, such as requesting certain data, triggering an immediate upload to the Firebase database, downloading and executing an additional payload, or adjustment of observation parameters.

• FireScam can also track changes in screen activity, capture power-on/power-off events, and log currently active applications, as well as activity data for events lasting more than 1000 milliseconds.
• In addition, the virus carefully monitors any e-commerce transactions, trying to intercept sensitive financial data.

Everything the user types, drags, and copies to the clipboard will be visible to hackers. The virus even intercepts data that is auto-filled from password managers, as well as everything that applications exchange without your participation.

Who is behind this

Cyfirma has no clue about the operators of FireScam. However, researchers say that this malware is a “sophisticated and multifaceted threat” that “uses advanced evasion techniques.” So it's unlikely that some team of amateurs is behind this, who just decided to play around.

• The company recommends that users be careful when opening files from potentially unreliable sources or following unfamiliar links.
• In addition, you should only install applications from official stores.
• Finally, remember that free cheese – only in a mousetrap, so if someone offers you a free version of a paid program, they are most likely doing it for a reason.