Image by Alexander Andrews, from Unsplash

Fake Game Sites Trick Users Into Installing Malware

• Written by Kiara Fabbri Former Tech News Writer
• Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

A new online scam is targeting unsuspecting users with fake video game invitations that lead to malware downloads, stealing sensitive personal information.

In a Rush? Here are the Quick Facts!

• Victims receive DM invitations to test a game, leading to a Trojan download.
• Malware steals login credentials, cookies, passwords, and cryptocurrency wallet data.
• Discord credentials are often targeted to expand the network of compromised accounts.

The scam, first reported by MalwareBytes , begins with a direct message (DM) on platforms like Discord, where the attacker poses as a game developer asking if the target would be interested in testing a new game they’ve created. Sometimes, victims may also receive the message via text or email .

If the target expresses interest, they are sent a download link and a password to access the game’s installation file. These files are often hosted on cloud storage platforms like Dropbox or even on compromised accounts within Discord itself, lending the scam an air of credibility.

However, instead of a game, what the victim actually downloads is an information-stealing Trojan . This story highlights the recent report showing a rise in cyberattacks aimed at young gamers .

MalwareBytes says that these Trojans can come in different forms, often disguised as simple installer files, and they are designed to steal sensitive information from the victim’s computer. The malware is typically disguised in installer formats like NSIS or MSI.

The primary purpose of these Trojans is to gather personal information, such as login credentials, session cookies, and data related to cryptocurrency wallets .

MalwareBytes explains that one of the most common types of malware used in this scam is the Nova Stealer, which specializes in stealing login details from web browsers, Discord, Steam, and even cryptocurrency wallets.

MalwareBytes adds that the Ageo Stealer operates similarly, allowing hackers to access users’ credentials and personal information.

Additionally, some versions of the Trojan, like the Hexon Stealer, are even more dangerous. They can collect a wide range of data, including saved passwords, credit card information, and Discord tokens, which hackers can use to further compromise victims’ accounts, as reported by MalwareBytes.

The stolen information often includes contact details for the victim’s friends, which criminals use to trick other users into believing they are communicating with a trusted friend. This emotional manipulation helps the scammers spread their malicious campaigns even further.

MalwareBytes says that the ultimate goal of these scams is financial gain. The hackers hope to either directly steal money or use the stolen information for fraudulent activities. If you’ve fallen for this scam, MalwareBytes says it’s crucial to keep an eye on your bank accounts and cryptocurrency wallets.

Recognizing these fake game sites can be challenging, but there are common signs to look out for. MalwareBytes says that many of the fraudulent websites use a template, which cybercriminals can easily modify to suit their needs. These sites are often hosted on unreliable platforms and are protected by services like Cloudflare, making them hard to take down.

MalwareBytes adds that some scams even use popular platforms like Blogspot to host their malicious sites, although these sites still follow a recognizable template.

MalwareBytes suggest that to protect yourself, always use up-to-date anti-malware software, and verify any suspicious messages from “friends” via other communication channels. Avoid downloading files from unsolicited messages, and stay cautious when asked to install something unexpectedly.

Image by Dimitri Karastelev, from Unsplash

FireScam Malware Exploits Telegram Premium App To Steal User Data

• Written by Kiara Fabbri Former Tech News Writer
• Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

A new strain of Android malware, named FireScam, is targeting users by posing as a Telegram Premium application, as first reported by cybersecurity experts at CYFIRMA .

In a Rush? Here are the Quick Facts!

• FireScam malware disguises itself as a fake Telegram Premium app via phishing websites.
• The phishing site impersonates RuStore, a popular app store in the Russian Federation.
• The malware captures sensitive information, including messages, notifications, and clipboard data.

Through a phishing website designed to mimic RuStore, a popular app store in Russia, the malware uses sophisticated techniques to infiltrate devices, steal sensitive data, and evade detection.

The Hacker News reports that it is still unclear who the operators are, how users are directed to these links, or whether SMS phishing or malvertising techniques are involved.

The researchers note that FireScam is distributed through a GitHub.io-hosted phishing site that impersonates RuStore, tricking users into downloading a malicious APK. The fake app promises Telegram Premium features but instead deploys a multi-stage infection process.

It begins with a dropper APK that downloads and installs the FireScam malware, disguising it as a legitimate application . Once installed, FireScam conducts extensive surveillance on the infected device.

It captures sensitive data such as notifications, messages, and clipboard activity. The malware even monitors device interactions, including screen state changes and e-commerce transactions, providing attackers with valuable insights into user behavior.

FireScam relies on Firebase Realtime Database as part of its command-and-control system, which is essential for managing its malicious activities. This database acts as a storage space for the information the malware steals from infected devices.

Once the data is uploaded, the attackers sift through it to identify valuable pieces, such as sensitive personal details or financial information . Any data deemed unnecessary is deleted to avoid raising suspicion.

In FireScam’s case, using Firebase—a legitimate and widely used service—helps the malware blend in, making it harder for security tools to detect and block its activities. Firebase is also employed to deliver additional malicious payloads, allowing the attackers to maintain persistent control over compromised devices.

The malware employs obfuscation to conceal its intent and evade detection by security tools. It also performs environment checks to identify if it is running in an analysis or virtualized environment, further complicating efforts to track its activities.

By leveraging the popularity of widely used apps like Telegram and legitimate services like Firebase, FireScam highlights the advanced tactics employed by modern threat actors. The malware’s ability to steal sensitive information and maintain stealth poses a significant risk to both individual users and organizations .

Information Security Buzz (ISB) reports that Eric Schwake, Director of Cybersecurity Strategy at Salt Security, highlights the increasing sophistication of Android malware, exemplified by FireScam.

“Although using phishing websites for malware distribution is not a new tactic, FireScam’s specific methods — such as masquerading as the Telegram Premium app and utilizing the RuStore app store — illustrate attackers’ evolving techniques to mislead and compromise unsuspecting users,” said Schwake according to Dark Reading .

ISB reports that Schwake stresses the need for robust API security, as compromised devices can access sensitive data through mobile app APIs. Strong authentication, encryption, and continuous monitoring are essential to mitigate these risks.

To counter FireScam, the researchers at CYFIRMA suggest employing threat intelligence, robust endpoint security, and behavior-based monitoring. They also suggest using firewalls to block malicious domains and application whitelisting to prevent unauthorized executables.