- Researchers have found a fake Telegram Premium Android app
- It is being distributed through a phishing page pretending to be a Russian app store
- Malware is capable of exfiltrating all sorts of sensitive information
Experts have detected a new piece of information-stealing malware posing as one of the most popular messaging apps around.
Cybersecurity researchers from CyFirma recently discovered an Android app, pretending to be a premium version of Telegram, but which actually steals victim’s login credentials and sensitive information.
The researchers explained how back in 2022, when the Russian invasion of Ukraine began, the West imposed heavy sanctions on Putin’s regime. These sanctions meant Russians could not access Google‘s Play Store or Apple’s App Store. To provide Russian citizens with access to mobile software, the country’s Ministry of Digital Development, together with VK (the country’s social media behemoth and essentially a Facebook clone) created RuStore, a mobile app marketplace.
FireScam
Cyfirma now claims someone created phishing websites on GitHub designed to look like RuStore. Victims that visit the website will first get a dropper module named GetAppsRu.apk, which lists apps installed on the device, gains access to device storage, and installs additional packages.
Among the additional packages is the main malware, called Telegram Premium.apk. This malware, dubbed FireScam, requests permissions to monitor notifications, clipboard data, SMS, and more. It also displays a fake Telegram login page to steal the credentials.
Furthermore, FireScam will monitor app activity, the clipboard, look for e-commerce transactions, and virtually anything else that could be useful. The data is then extracted to a third-party server where it’s filtered and transferred elsewhere. The information that is deemed worthless is wiped, it was added.
Cyfirma could not attribute FireScam to any known threat actor, but it did describe the operation as a “sophisticated and multifaceted threat” that “employs advanced evasion techniques.” There was no word on the number of potential victims. It also recommended users be careful when opening files from sources they’re not entirely familiar with, or when clicking on potentially dangerous links.
Via BleepingComputer
You might also like
https://cdn.mos.cms.futurecdn.net/5pmsJs3KfnrtbsM98UsnG9-1200-80.jpg
Source link
