Covered deception: a virus disguised as the Telegram Premium app appeared on the Web

FireScam malware that masquerades as the Telegram Premium application has appeared on the Web, experts have warned. The virus is aimed at stealing data from Android devices and is distributed via a page on GitHub, which in turn mimics the Russian RuStore. Read more about the new threat and ways to protect against it in the material "Izvestia".

What is known about the new virus FireScam

That in the Network appeared malicious software (software) FireScam, which masquerades as an application Telegram Premium, reported the experts of the company Cyfirma, which specializes in information security.

Photo: IZVESTIA/Sergey Lantyukhov

To spread the new virus, hackers are using a page on GitHub, which in turn mimics the Russian RuStore. This page downloads the GetAppsRu.apk application, which is invisible to Android security tools, to users' devices. Once installed, the program receives all the necessary permissions, giving it a wide range of capabilities.

Among them are scanning installed applications, access to the gadget's storage, and permission to download additional packages. Next, the program installs the main virus - Telegram_Premium.apk: it, in turn, requests access to notification tracking, clipboard, SMS content and other data. When FireScam is launched for the first time, it opens the Telegram authorization page.

It is data from the messenger that cybercriminals steal first. In parallel, the application establishes a connection with the Firebase Realtime Database, where the stolen information is transferred. In addition, FireScam maintains a constant connection to a remote server, which allows cybercriminals to execute various commands on the victim's device.

How dangerous is it to infect a device with the FireScam virus?

In the scheme described by Cyfirma experts, a mobile Trojan is used; it is capable of sending arbitrary SMS and USSD requests on command from the attackers' server, Dmitry Kalinin, a cybersecurity expert at Kaspersky Lab, explained in a conversation with Izvestia. This suggests that the attackers' goal is to steal the victim's funds.

- The Trojan is also capable of displaying a phishing page on an infected smartphone, which can be used to steal credentials from a messenger account," the expert says. - In the future, the stolen account can be used by attackers in their schemes.

Photo: Izvestia/Anna Selina

Vadim Matvienko, head of the cybersecurity research laboratory of the analytical center of cybersecurity "Gazinformservice", adds that the FireScam virus also monitors the actions of the device, including changes in screen state, e-commerce transactions, clipboard activity and user interaction, which allows it to covertly collect valuable information. And, in addition to sending data to the server, this malware can receive additional malicious data from the attackers' server, which can lead to complete control of the smartphone.

According to Dmitry Kalinin, cybersecurity experts discovered the first versions of a similar malware in late 2023 and named it Mamont. Since then, its functionality has changed, as have its distribution scenarios. Early versions of the malware were transmitted under the guise of adult applications.

- Quite often, fraudsters use schemes in which a person is offered to receive Telegram Premium for free, supposedly as a gift from friends," adds Vitaly Fomin, head of the group of information security analysts at the Digital Economy League. - If the user believes it, he or she will go to a phishing page or download malicious software that can steal confidential information.

Why hackers use a fake RuStore page

According to Vadim Matvienko, the scheme using the FireScam virus poses a serious danger to users. The thing is that hackers use a fake RuStore to spread malware, which is created very well and does not arouse suspicion, which increases the risks.

- Taking into account that RuStore has appeared relatively recently and not all users are familiar with it, the deception can be very successful," emphasizes the Izvestia interlocutor.

Photo: TASS/Grebenshchikov Mikhail

At the same time, Alexei Korobchenko, head of the information security department at Security Code, points out that any other fake application store could have taken the place of the RuStore fake in the FireScam distribution scheme, since attackers regularly use them to deliver malware. RuStore fakes appear among such fakes all the time.

Thus, according to Alexey Korobchenko, in 2023, several fake apps were discovered in Google Play, and in 2024, about ten apps resembling RuStore in design but not in functionality appeared in Xiaomi Mi GetApps.

- The vast majority of fakes showed advertisements and did not contain "combat" load, but there were also several really malicious applications with various software, including FireScam functionality," says the expert.

As Vadim Matvienko notes, RuStore is a marketplace that is being developed with the support of the Ministry of Digital Development. This is a fairly new service, which many Russians have not yet encountered or have encountered a couple of times to install banking applications. Therefore, the fake RuStore does not arouse suspicion, especially considering that not everyone double-checks sources. Attackers are well aware of the new habits of Russian smartphone users and their problems and skillfully use this in their schemes.

How to protect yourself from FireScam virus and RuStore fakes

In order to protect oneself from threats related to the FireScam virus and RuStore fakes, experts interviewed by Izvestia advise to follow a number of digital security rules. In particular, Artem Grishchenko, a leading expert in malicious code analysis at F.A.C.C.T., recommends not to use the FireScam virus and RuStore fakes. Artem Grishchenko recommends not following dubious links received from unknown people.

- Download applications only from official app stores, and evaluate their behavior after installation," advises Alexey Kolesnikov, a specialist in the expertise department of PT Sandbox Positive Technologies. - If an application requires additional unexpected actions from you, uninstall it.

Photo: IZVESTIA/Sergey Lantyukhov

For example, if when downloading the app store, you are offered to install third-party software immediately, even with the promise of "free premium", this should arouse suspicion. It is important to pay attention to details: for example, in the case of RuStore, it may be a different spelling in the browser address bar from rustore.ru or a different website interface from the official one.

Such errors and inaccuracies will indicate that users are most likely dealing with a phishing resource. In addition, applications from RuStore today can be downloaded only through the official mobile application of the store.

- To avoid becoming a victim of fraudsters, download RuStore only from the official site rustore.ru or use the pre-installed version on your smartphone, - emphasize the RuStore press service. - Installation from other sources may not be safe.

In general, in order for the attack to be successful, the user is required to interact with the fake resource several times and repeatedly agree to the permissions requested by the application. Therefore, the most effective protection measure will be the vigilance of users themselves, concludes Alexey Vishnyakov, technical director of Solar 4RAYS, Solar's cyberthreat research center.