{"id":6812,"date":"2025-01-06T15:12:00","date_gmt":"2025-01-06T21:12:00","guid":{"rendered":"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/firescam-android-spyware-campaign-significant-threat-worldwide"},"modified":"2025-01-06T15:12:00","modified_gmt":"2025-01-06T21:12:00","slug":"firescam-android-spyware-campaign-poses-significant-threat-worldwide","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/06\/firescam-android-spyware-campaign-poses-significant-threat-worldwide\/","title":{"rendered":"FireScam Android Spyware Campaign Poses ‘Significant Threat Worldwide’"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

A new advanced Android spyware threat called “FireScam” is using a fake Telegram Premium application to drop an infostealer on victims’ phones that is able to track, monitor, and collect sensitive data on its victims.<\/span><\/p>\n

Researchers at Cyfirma behind a new FireScam analysis said the campaign is part of a wider trend of threat actors finding success disguising malware as legitimate applications and services. In this case, they are abusing Firebase, a legitimate <\/span>cloud platform<\/a><\/span> widely used by developers of Google mobile and Web applications.<\/span><\/p>\n

“By capitalizing on the widespread usage of popular apps and legitimate services like Firebase, FireScam exemplifies the advanced tactics used by modern malware to evade detection, execute data theft, and maintain persistent control over compromised devices,” the <\/span>report<\/a><\/span> explained. “By exploiting the popularity of messaging apps and other widely used applications, FireScam poses a significant threat to individuals and organizations worldwide.”<\/span><\/p>\n

The infection routine starts with a phishing site hosted on the GitHbub[dot]io domain, dressed up to look like the RuStore app store, the report said. The site delivers a malicious version of Telegram Premium, which then steals data from the targeted Android device, including notifications, messages, and more, and sends it to a Firebase Realtime Database endpoint.<\/span><\/p>\n

Related:<\/span>China’s Salt Typhoon Adds Charter, Windstream to Telecom Victim List<\/a><\/p>\n

Once installed, FireScam uses regular checks and analysis, command-and-control communications (C2), and data storage to maintain persistence and deliver additional malware, as needed, the report added.<\/span><\/p>\n

“The FireScam malware campaign reveals a worrying development in the mobile threat landscape: malware targeting Android devices is becoming increasingly sophisticated,” Eric Schwake, director of cybersecurity strategy at Salt Security, said in a statement. “Although using phishing websites for malware distribution is not a new tactic, FireScam’s specific methods \u2014 such as masquerading as the Telegram Premium app and utilizing the RuStore app store \u2014 illustrate attackers’ evolving techniques to mislead and compromise unsuspecting users.”<\/span><\/p>\n

Solutions for Stopping Spyware Like FireScam<\/h2>\n

With these threats becoming increasingly sophisticated, it’s important for cyber defenders to focus on anomalous app activity, according to a statement from Stephen Kowski, field CTO at SlashNext Email Security+.<\/span><\/p>\n

“Real-time mobile app scanning and continuous monitoring are crucial safeguards, as these attacks often bypass traditional security measures by exploiting user trust and legitimate distribution channels,” Kowski wrote. “The key to protecting against such threats is implementing security solutions that can detect suspicious permission requests and unauthorized app behaviors before sensitive data is compromised.”<\/span><\/p>\n

Related:<\/span>EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets<\/a><\/p>\n

Kowski added that <\/span>protecting application programming interfaces (APIs)<\/a><\/span> can also help protect users from increasingly convincing phishing lures.<\/span><\/p>\n

“Real-time mobile-app scanning and continuous monitoring are crucial safeguards, as these attacks often bypass traditional security measures by exploiting user trust and legitimate distribution channels,” Kowski wrote. “The key to protecting against such threats is implementing security solutions that can detect suspicious permission requests and unauthorized app behaviors before sensitive data is compromised.”<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A new advanced Android spyware threat called “FireScam” is using<\/p>\n","protected":false},"author":12,"featured_media":6813,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-6812","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/firescam-android-spyware-campaign-poses-significant-threat-worldwide-scaled.jpg?fit=2560%2C1440&ssl=1",2560,1440,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/firescam-android-spyware-campaign-poses-significant-threat-worldwide-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/firescam-android-spyware-campaign-poses-significant-threat-worldwide-scaled.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/firescam-android-spyware-campaign-poses-significant-threat-worldwide-scaled.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/firescam-android-spyware-campaign-poses-significant-threat-worldwide-scaled.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/firescam-android-spyware-campaign-poses-significant-threat-worldwide-scaled.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/firescam-android-spyware-campaign-poses-significant-threat-worldwide-scaled.jpg?fit=2048%2C1152&ssl=1",2048,1152,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/firescam-android-spyware-campaign-poses-significant-threat-worldwide-scaled.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/firescam-android-spyware-campaign-poses-significant-threat-worldwide-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/firescam-android-spyware-campaign-poses-significant-threat-worldwide-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/firescam-android-spyware-campaign-poses-significant-threat-worldwide-scaled.jpg?fit=2560%2C1440&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6812","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6812"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6812\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/6813"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6812"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6812"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6812"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}