One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8632163 |
| Date de publication | 2024-12-31 20:28:31 (vue: 2024-12-31 21:08:17) |
| Titre | Inside FireScam: An Information Stealer with Spyware Capabilities |
| Texte | ## Snapshot
FireScam is a sophisticated Android malware distributed via phishing websites hosted on GitHub.io.
## Description
Posing as a “Telegram Premium” app, it mimics the RuStore app store to trick users into downloading a malicious APK dropper. Once installed, FireScam initiates a multi-stage infection process, deploying spyware that surveils the device extensively. It exfiltrates sensitive data, including messages, notifications, and e-commerce transactions, to Firebase Realtime Database endpoints.
Key capabilities of FireScam include monitoring notifications across multiple apps, capturing clipboard content, and logging device activity, such as screen state changes and user engagement. The malware also employs obfuscation techniques and sandbox detection mechanisms to evade security tools, ensuring persistence on compromised devices. Additionally, it utilizes Firebase for command-and-control communication and data exfiltration, further obscuring its malicious activities.
FireScam exploits dynamic broadcast receivers and permissions to gain backdoor access to sensitive device events. Its phishing website delivers a realistic Telegram login page via WebView to steal credentials. Advanced tactics like profiling the device environment and using WebSocket connections enhance its stealth and operational success.
## Recommendations
- Only install applications from trusted sources and official stores.
- If a device is no longer receiving updates, strongly consider replacing it with a new device.
- Use mobile solutions such as [Microsoft Defender for Endpoint on Android](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide)to detect malicious applications
- Always keep Install unknown apps disabled on the Android device to prevent apps from being installed from unknown sources.
- Evaluate whether [Microsoft Defender for Internet of Things (IoT)](https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/overview) services are applicable to your IoT environment.
## Detections/Hunting Queries
### Microsoft Defender Antivirus
Microsoft Defender Antivirus detects threat components as the following malware:
- [Trojan:AndroidOS/Multiverze](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:AndroidOS/Multiverze)
## References
[Inside FireScam: An Information Stealer with Spyware Capabilities](https://www.cyfirma.com/research/inside-firescam-an-information-stealer-with-spyware-capabilities/). CYFIRMA (accessed 2024-12-30)
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot FireScam is a sophisticated Android malware distributed via phishing websites hosted on GitHub.io. ## Description Posing as a “Telegram Premium” app, it mimics the RuStore app store to trick users into downloading a malicious APK dropper. Once installed, FireScam initiates a multi-stage infection process, deploying spyware that surveils the device extensively. It exfiltrates sensitive data, including messages, notifications, and e-commerce transactions, to Firebase Realtime Database endpoints. Key capabilities of FireScam include monitoring notifications across multiple apps, capturing clipboard content, and logging device activity, such as screen state changes and user engagement. The malware also employs obfuscation techniques and sandbox detection mechanisms to evade security tools, ensuring persistence on compromised devices. Additionally, it utilizes Firebase for command-and-control communication and data exfiltration, further obscuring its malicious activities. FireScam exploits dynamic broadcast receivers and permissions to gain backdoor access to sensitive device events. Its phishing website delivers a realistic Tel |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2024 2024** 365/security/defender access accessed across activities activity additionally advanced all also always android antivirus any apk app applicable applications apps apps disabled are as backdoor being broadcast capabilities capabilities/ capturing changes clipboard com/en com/microsoft com/research/inside command commerce communication components compromised connections consider content control copyright credentials cyfirma data database defender delivers deploying description detect detection detections/hunting detects device devices distributed distribution downloading dropper dynamic employs encyclopedia endpoint endpoint/microsoft endpoints engagement enhance ensuring environment evade evaluate events exfiltrates exfiltration exploits extensively firebase firescam firescam: following from further gain github hosted https://learn https://www include including infection information initiates inside install installed internet iot iot/organizations/overview its keep install key like logging login longer malicious malware malware: mechanisms messages microsoft mimics mobile monitoring multi multiple name=trojan:androidos/multiverze new notifications obfuscation obscuring official once only operational page part permission permissions persistence phishing posing premium” prevent process profiling prohibited queries realistic realtime receivers receiving recommendations references replacing reproduction reserved rights rustore sandbox screen security sensitive services site snapshot solutions sophisticated sources spyware stage state steal stealer stealth store stores strongly success such surveils tactics techniques telegram thereof things threat tools transactions trick trojan:androidos/multiverze trusted unknown updates us/azure/defender us/wdsi/threats/malware use user users using utilizes view=o365 website websites websocket webview whether without worldwide written your “telegram |
| Tags | Malware Tool Threat Mobile |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.