A white paper by cyber threat intelligence experts has revealed Android malware called Fire Scam. It steals users’ sensitive data, including their notifications, and uses sophisticated obfuscation techniques to avoid detection. Fire Scam masquerades as a fake Telegram Premium app and is distributed via a fake Ru Store App Store website in an attempt to trick users. This fake website is designed to look like a popular app store, especially in the Russian Federation. However, experts warn that attackers may also operate in other regions and distribution channels.

Fire Scam utilises the advanced techniques of today’s malware. It works through a multi-stage attack process, first infecting devices using a dropper, followed by data theft and monitoring of activity on the device. Fire Scam, which tries to hide by utilising legal services such as Firebase, not only steals data, but also creates a permanent control mechanism on the device.

The findings of the report show that FireScam monitors screen status changes, e-commerce transactions, clipboard activities and user interactions on the device. It also collects notifications from many different applications, including system applications. The malware exfiltrates user messages and application data through a Firebase real-time database.

Researchers note that this type of malware poses a serious threat to individuals and organisations through popular messaging apps and widely used services. Users should be especially careful to download apps from reputable stores and be on the lookout for fake app stores. The Fire Scam example demonstrates once again how sophisticated and dangerous modern malware has become.