A new Android malware called FireScam has been identified impersonating the Telegram messaging application to collect user data. The malware, first detected by cybersecurity researchers in late 2023, mimics the legitimate Telegram app’s appearance and interface while secretly gathering sensitive information from infected devices. The discovery follows a broader pattern of sophisticated malware operations targeting Android devices, including the recent BADBOX campaign that affected over 192,000 devices worldwide.
The malware typically spreads through phishing attacks or by masquerading as a legitimate app update. Users may receive notifications or emails that appear to be from Telegram, containing links to download what appears to be an updated version of the application but actually installs the FireScam malware. The approach is similar to recent sophisticated phishing campaigns that have resulted in significant financial losses for users.
“FireScam is a highly sophisticated piece of malware. It uses advanced social engineering tactics to trick users into downloading the fake app,” said cybersecurity expert Dr. Maria Rodriguez. “Once installed, it can access a wide range of sensitive data, including login credentials, contact lists, and even device location information.”
Upon installation, FireScam begins collecting various types of data, including login credentials for other applications and services, contact lists, device-specific information such as IMEI numbers and operating system versions, and location data. The information is transmitted to command and control servers for potential use in identity theft, financial fraud, and targeted advertising. The theft of IMEI numbers is particularly concerning, as these unique device identifiers have become increasingly valuable targets for cybercriminals, leading some countries to implement strict IMEI registration and monitoring systems.
“We strongly advise users to only download the Telegram app from the official Google Play Store or Apple App Store. Any other source could potentially lead to malware infections like FireScam,” states Telegram. The guidance supports Google’s recent efforts to enhance Android security, including the implementation of improved biometric authentication measures.
“FireScam demonstrates advanced capabilities, including the ability to intercept two-factor authentication codes,” says malware analyst Dr. John Lee. The capability is particularly concerning given the rising threat of SIM swapping attacks, which caused $48 million in losses during 2023.
Security recommendations include downloading apps exclusively from official app stores, verifying app permissions, maintaining regular app updates, and using reputable antivirus software. The Google Play Store advises users to verify developer names and reviews before installation and to be cautious of applications requesting unnecessary permissions. The precautions are especially important as mobile authentication methods continue to evolve, with many platforms moving toward passkey-based authentication systems to enhance security.
Sources: Cybersecurity News, The Hacker News, Malwarebytes Blog, Google Play Store Blog
Follow Us