New virus for Android operating system disguises itself as Telegram messenger and steals user data

Specialists from the information security company Cyfirma have discovered a new malware called FireScam, which is aimed at stealing data from Android users. The malware masquerades as a fake Telegram Premium app and is distributed via a page on GitHub.

According to researchers from Cyfirma, an APK dropper protected from detection by Android security tools was delivered to the victim's device via a malicious page. It received the permissions necessary to scan the device for installed applications, as well as access to the device's storage and permission to download additional packages. The module then extracted and installed the main malware Telegram_Premium.apk, which in turn requested permission to monitor messages, clipboard data, SMS content, etc.

When first launched, the virus displays a data entry page similar to the one seen when logging into Telegram. The data entered by the user is stolen and then used to work with the messenger. FireScam also establishes a connection to the Firebase Realtime Database, where information stolen from the victim's device is transferred. According to Cyfirma, the stolen data is stored in the database temporarily, and after the attackers filter it, it is deleted or transferred to another location.

The virus also establishes a permanent connection to a remote server, which allows attackers to execute various commands on the victim's device, including requesting certain data, setting additional tracking parameters, and downloading additional malicious software. FireScam is able to track changes in activity on the device's screen, recording various events lasting more than 1000 ms. The virus carefully monitors all transactions, trying to intercept the victim's confidential payment data. Everything that the user types and copies to the clipboard is classified and transmitted to a remote server.

While Cyfirma has no guesses as to who is the operator of the new malware, the company noted that the campaign is a «sophisticated and multi-layered threat» that «uses advanced masking techniques». The company's specialists recommend that users be cautious about files they download from potentially unreliable sources.