This nasty Android malware is posing as the Telegram Premium app

Malware kan ställa till med oreda (Image credit: Shutterstock)

Researchers have found a fake Telegram Premium Android app
It is being distributed through a phishing page pretending to be a Russian app store
Malware is capable of exfiltrating all sorts of sensitive information

Experts have detected a new piece of information-stealing malware posing as one of the most popular messaging apps around.

Cybersecurity researchers from CyFirma recently discovered an Android app, pretending to be a premium version of Telegram, but which actually steals victim’s login credentials and sensitive information.

The researchers explained how back in 2022, when the Russian invasion of Ukraine began, the West imposed heavy sanctions on Putin’s regime. These sanctions meant Russians could not access Google's Play Store or Apple’s App Store. To provide Russian citizens with access to mobile software, the country’s Ministry of Digital Development, together with VK (the country’s social media behemoth and essentially a Facebook clone) created RuStore, a mobile app marketplace.

FireScam

Cyfirma now claims someone created phishing websites on GitHub designed to look like RuStore. Victims that visit the website will first get a dropper module named GetAppsRu.apk, which lists apps installed on the device, gains access to device storage, and installs additional packages.

Among the additional packages is the main malware, called Telegram Premium.apk. This malware, dubbed FireScam, requests permissions to monitor notifications, clipboard data, SMS, and more. It also displays a fake Telegram login page to steal the credentials.

Furthermore, FireScam will monitor app activity, the clipboard, look for e-commerce transactions, and virtually anything else that could be useful. The data is then extracted to a third-party server where it’s filtered and transferred elsewhere. The information that is deemed worthless is wiped, it was added.

Cyfirma could not attribute FireScam to any known threat actor, but it did describe the operation as a “sophisticated and multifaceted threat” that “employs advanced evasion techniques.” There was no word on the number of potential victims. It also recommended users be careful when opening files from sources they’re not entirely familiar with, or when clicking on potentially dangerous links.

Via BleepingComputer

Dangerous new Android malware infects 11 million devices — here's what we know
Here's a list of the best antivirus tools on offer
These are the best endpoint protection tools right now

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.