During the New Year holidays, Russians fell victim to a new malicious virus that steals data and passwords from Android devices under the guise of Telegram Premium. Victims downloaded the malicious software FireScam from a fake page of the Russian mobile application marketplace RuStore. Cybersecurity specialists from CyFirma, who discovered the threat, note that the fraudsters very well disguised their virus as a real Telegram Premium. The fake of the Russian analogue of Google Play also turned out to be of very high quality.
FireScam consists of two parts, so even if the user does not activate the suspicious application, damage will still be done to their device. When initially downloading the pseudo-Telegram Premium, the dropper GetAppsRu.apk is loaded onto the device, disguised using DexGuard. It requests critical permissions to access the system. Then the main malicious module Telegram Premium.apk is installed, which gains access to notifications, clipboard, and SMS.
If the user activates the fake application, after activation FireScam will display a fake Telegram login screen to steal credentials. The virus will instantly transmit the victim's number and password for logging into Telegram, as well as unique device identifiers, to cybercriminals.
It is noteworthy that FireScam has extensive capabilities for tracking victims. This program monitors screen activity, applications running on the device, and financial transactions. It also collects all data entered on the device and the contents of the clipboard, and steals data from password managers.
CyFirma strongly recommends that users download applications only from official sources and be vigilant when clicking on external links.
Earlier in Russia, fake "Gosuslugi" websites were discovered. Fraudsters exploit the inattention of Russians and even offer victims to "complain about the attackers to the Central Bank".
Read materials on the topic:
Is the device working slowly? Unusual signs of a virus on your phone or computer have been named
Cyber guardians have appeared in Russia — who are they and what do they do
"Various ways of penetration": there is a database of hackers about all Russians on the darknet
