Today, we're going to be taking a look at an Android Trojan called Fires Scam that has been found in the wild masquerading itself as a premium version of the Telegram messaging app to trick people into installing it. The hackers behind the malware also managed to create a pretty convincing copy of the RuStore to distribute the malware.
In case you haven't heard of the RuStore, it's an Android app store launched by VK in Russia back in 2022 after many tech companies left the country due to sanctions. In Russia, the smartphone ecosystem is becoming more similar to how it is in China, where de-Googled Android phones are the norm. Stateside alternatives to those Google services fill in the gaps where available, although the Russian solution is lacking some important features compared to the Chinese one. We’ll discuss this further in the mitigation section.
This is a screenshot of the now-defunct rap.github.io website that the malware was distributed through. You can see it looks almost identical to the real Telegram listing on the legitimate RuStore.
Now, this fake app is not Fires Scam itself but rather a dropper with the file name get_apps.apk that installs Fires Scam after the fact. Fires Scam is primarily an information stealer that scans devices for valuable credentials like private keys and passwords. It first sends this data to a Firebase database endpoint for temporary storage. Valuable content like credit card numbers and passwords is then filtered out and sold on the black market.
This malware, like many others we've analyzed, uses multiple obfuscation techniques to avoid detection by anti-malware tools. Being malware designed specifically for Android devices, its authors employed DexGuard as part of the obfuscation process. DexGuard is an application security framework for Android apps that employs various techniques to make apps harder to analyze or tamper with. While it is intended for legitimate use cases, like protecting mobile games from cheats, bad actors can also use it to shield their malware.
Another unique feature of Fires Scam is its broad permission requests upon installation. These permissions include:
- Query all packages: Allows the malware to see all installed apps, likely to avoid specific anti-malware solutions.
- Read and write to external storage.
- Request delete packages and request install packages: Let Fires Scam delete and install apps, enabling it to remove security tools and add more malicious software.
- Update packages without user action: Lets it update apps without user interaction.
- Enforce update ownership: Restricts updates to the app's designated owner, ensuring the malware remains persistent on the device.
Once installed and granted permissions, Fires Scam performs checks to ensure it isn’t running in a sandbox environment. These include verifying installed applications, identifying its own process name, and fingerprinting device details. These checks also help identify security measures like Samsung's Knox, which may require different bypass techniques.
The malware then registers a service to receive Firebase Cloud Messaging notifications, enabling two-way communication with its command and control server, effectively turning the compromised device into a reverse shell.
Fires Scam also monitors the activity of the messaging app on the device, extracting text message contents and sending them to its database. If you have this malware on your device, your text messages are no longer private—whether from the NSA or the FSB, since the malware is distributed through a fake RuStore. This strongly suggests the hackers are targeting Russian users.
Additionally, the malware monitors:
- Screen state changes: Tracks when the screen is on/off, the number of touches, and the duration of interaction.
- Notifications from other apps: Gives hackers further insight into user interactions.
- Keylogging, clipboard, and autofill monitoring: Essentially captures all user activity on the device.
To make the app appear legitimate, it presents a web view of Telegram's real login page. However, logging in through this app compromises your Telegram account credentials, leaving your account vulnerable.
Mitigation and Final Thoughts
The best way to avoid malware like Fires Scam is to avoid downloading apps from untrustworthy sources. Stick to official app stores or verified third-party repositories. Random APKs from shady websites are a recipe for disaster.
In Russia, pre-installing the RuStore on smartphones, similar to Chinese app store setups, could help mitigate these attacks. Alternatively, creating home screen shortcuts to the official RuStore could help less tech-savvy users avoid fake versions.
