- Researchers have found a fake Telegram Premium Android app
- It is being distributed through a phishing page pretending to be a Russian app store
- Malware is capable of exfiltrating all sorts of sensitive information
Experts have detected a new piece of information-stealing malware posing as one of the most popular messaging apps around.
Cybersecurity researchers from CyFirma recently discovered an Android app, pretending to be a premium version of Telegram, but which actually steals victim’s login credentials and sensitive information.
The researchers explained how back in 2022, when the Russian invasion of Ukraine began, the West imposed heavy sanctions on Putin’s regime. These sanctions meant Russians could not access Google's Play Store or Apple’s App Store. To provide Russian citizens with access to mobile software, the country’s Ministry of Digital Development, together with VK (the country’s social media behemoth and essentially a Facebook clone) created RuStore, a mobile app marketplace.
FireScam
Cyfirma now claims someone created phishing websites on GitHub designed to look like RuStore. Victims that visit the website will first get a dropper module named GetAppsRu.apk, which lists apps installed on the device, gains access to device storage, and installs additional packages.
Among the additional packages is the main malware, called Telegram Premium.apk. This malware, dubbed FireScam, requests permissions to monitor notifications, clipboard data, SMS, and more. It also displays a fake Telegram login page to steal the credentials.
Furthermore, FireScam will monitor app activity, the clipboard, look for e-commerce transactions, and virtually anything else that could be useful. The data is then extracted to a third-party server where it’s filtered and transferred elsewhere. The information that is deemed worthless is wiped, it was added.
Cyfirma could not attribute FireScam to any known threat actor, but it did describe the operation as a “sophisticated and multifaceted threat” that “employs advanced evasion techniques.” There was no word on the number of potential victims. It also recommended users be careful when opening files from sources they’re not entirely familiar with, or when clicking on potentially dangerous links.
Edit, January 13 - After the publication of this article, a Google spokesperson reached out to confirm that the malware is not present in the Play Store:
“Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services," the spokesperson said. "Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."
Via BleepingComputer
You might also like
- Dangerous new Android malware infects 11 million devices — here's what we know
- Here's a list of the best antivirus tools on offer
- These are the best endpoint protection tools right now
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
