Cyfirma researchers warn Android smartphone users. Experts from the Singaporean company have indeed discovered that a new malware, called FireScamis currently spreading on phones.
The malware hides in a fake premium version of the Telegram app. This fraudulent version, whose code contains the malware, is shared on imitations of RuStorethe Russian alternative to Google’s Play Store and Apple’s App Store. The platform was born in the wake of the war in Ukraine, following the sanctions imposed against Russia. These RuStore mimicking pages are distributed through the Github platform.
Also read: 30,000 Android devices hacked – they must be “immediately disconnected from the Internet”
Sophisticated evasion tactics
Firstly, the malicious page will first offer to install a file named GetAppsRu.apk. It is a dropper, a program used to quietly install other malware by bypassing the security mechanisms of targeted smartphones. The virus only triggers the malicious payload once it has passed the device’s defenses. This is a “multi-step infection process”. This is a classic, but effective tactic, massively exploited by cybercriminals.
As Cyfirma noted, the code is also obfuscated with DexGuard, a tool that scrambles software code, always with the aim of avoiding detection by antiviruses. After installation, it will require a handful of authorizations. The dropper then downloads and installs a second malicious file named Telegram Premium.apk. Again, the virus asks for a plethora of permissions from the user, such as the ability to read notifications, text messages, and make calls. He also wants to be able to view clipboard data.
A data plunderer
This is where FireScam comes into play. This is in fact hidden in the code of the fraudulent Telegram version. Once it has managed to enter its target’s smartphone, it will display a malicious login page. This asks for the user’s Telegram login credentials. With this data, hackers will be able to take control of the target’s account.
However, the cyberattack does not stop there. The virus will do everything possible to siphon off all the data stored or passing through the smartphone. All copied and pasted data is collected and transmitted to a server from a distance. The malware is capable of “maintain persistent control over compromised devices”. It continuously monitors “screen state changes, e-commerce transactions, clipboard activity, and user interactions” discreetly collect sensitive information. At the same time, it can also exfiltrate data from system applications.
-Also read: Russian cyberattack on Android – 2 spy viruses launch data theft
A “sophisticated and multifaceted” threat
FireScam mainly targets passwords or bank details, presumably with the aim of strip bank accounts targets. Researchers consider FireScam to be a particularly formidable spy virus in the field of data theft.
This is a new threat “sophisticated and multifaceted” which targets Android devices. As always, we encourage you to favor verified applications from trusted developers.
???? To not miss any news from 01net, follow us on Google News and WhatsApp.
Source :
Cyfirma
