FireScam Malware Exploits Telegram Premium App To Steal User Data - 1

Image by Dimitri Karastelev, from Unsplash

FireScam Malware Exploits Telegram Premium App To Steal User Data

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

A new strain of Android malware, named FireScam, is targeting users by posing as a Telegram Premium application, as first reported by cybersecurity experts at CYFIRMA .

In a Rush? Here are the Quick Facts!

  • FireScam malware disguises itself as a fake Telegram Premium app via phishing websites.
  • The phishing site impersonates RuStore, a popular app store in the Russian Federation.
  • The malware captures sensitive information, including messages, notifications, and clipboard data.

Through a phishing website designed to mimic RuStore, a popular app store in Russia, the malware uses sophisticated techniques to infiltrate devices, steal sensitive data, and evade detection.

The Hacker News reports that it is still unclear who the operators are, how users are directed to these links, or whether SMS phishing or malvertising techniques are involved.

The researchers note that FireScam is distributed through a GitHub.io-hosted phishing site that impersonates RuStore, tricking users into downloading a malicious APK. The fake app promises Telegram Premium features but instead deploys a multi-stage infection process.

It begins with a dropper APK that downloads and installs the FireScam malware, disguising it as a legitimate application . Once installed, FireScam conducts extensive surveillance on the infected device.

It captures sensitive data such as notifications, messages, and clipboard activity. The malware even monitors device interactions, including screen state changes and e-commerce transactions, providing attackers with valuable insights into user behavior.

FireScam relies on Firebase Realtime Database as part of its command-and-control system, which is essential for managing its malicious activities. This database acts as a storage space for the information the malware steals from infected devices.

Once the data is uploaded, the attackers sift through it to identify valuable pieces, such as sensitive personal details or financial information . Any data deemed unnecessary is deleted to avoid raising suspicion.

In FireScam’s case, using Firebase—a legitimate and widely used service—helps the malware blend in, making it harder for security tools to detect and block its activities. Firebase is also employed to deliver additional malicious payloads, allowing the attackers to maintain persistent control over compromised devices.

The malware employs obfuscation to conceal its intent and evade detection by security tools. It also performs environment checks to identify if it is running in an analysis or virtualized environment, further complicating efforts to track its activities.

By leveraging the popularity of widely used apps like Telegram and legitimate services like Firebase, FireScam highlights the advanced tactics employed by modern threat actors. The malware’s ability to steal sensitive information and maintain stealth poses a significant risk to both individual users and organizations .

Information Security Buzz (ISB) reports that Eric Schwake, Director of Cybersecurity Strategy at Salt Security, highlights the increasing sophistication of Android malware, exemplified by FireScam.

“Although using phishing websites for malware distribution is not a new tactic, FireScam’s specific methods — such as masquerading as the Telegram Premium app and utilizing the RuStore app store — illustrate attackers’ evolving techniques to mislead and compromise unsuspecting users,” said Schwake according to Dark Reading .

ISB reports that Schwake stresses the need for robust API security, as compromised devices can access sensitive data through mobile app APIs. Strong authentication, encryption, and continuous monitoring are essential to mitigate these risks.

To counter FireScam, the researchers at CYFIRMA suggest employing threat intelligence, robust endpoint security, and behavior-based monitoring. They also suggest using firewalls to block malicious domains and application whitelisting to prevent unauthorized executables.

Phishing Attacks Drain $494 Million From Crypto Users In 2024, Report Shows - 2

Image by Tumisu, from Pixabay

Phishing Attacks Drain $494 Million From Crypto Users In 2024, Report Shows

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

In 2024, nearly $500 million in cryptocurrency was stolen from over 332,000 victims due to wallet drainer malware, according to the anti-scam firm Scam Sniffer .

In a Rush? Here are the Quick Facts!

  • Wallet drainers trick victims into signing malicious transactions, leading to stolen assets.
  • The largest theft amounted to $55.48 million, marking a significant loss.
  • Ethereum-based assets made up the majority of stolen funds, totaling $152 million.

These types of attacks, known as “ wallet drainers ,” trick victims into signing harmful transactions, allowing cybercriminals to steal their crypto assets .

Wallet drainer attacks saw a staggering 67% increase in losses compared to the previous year, with the total amount stolen reaching $494 million. Although the number of victims rose slightly by 3.7%, the amount stolen per attack grew significantly. The largest single theft amounted to over $55 million.

Wallet drainer malware typically operates through phishing websites , where unsuspecting users are lured into signing malicious transactions. Once the user authorizes the transaction, the malware gains access to their crypto assets.

Scam Sniffer says these attacks primarily target users of EVM-compatible blockchain networks, such as Ethereum, Arbitrum, and BNB Chain. Scam Sniffer’s analysis reveals that wallet drainer attacks followed a distinct pattern in 2024. The first quarter of the year saw the highest number of victims and losses, totaling $187.2 million.

As the year progressed, however, the number of victims decreased, and security awareness seemed to improve. In the second half of the year, the frequency of large-scale thefts dropped significantly.

Some notable trends include a rise in phishing attacks linked to specific malware types like Pink Drainer and Inferno Drainer, which dominated the first half of the year. By the end of 2024, however, these threats had evolved, with new players entering the scene.

Victims often suffer losses in popular cryptocurrencies like stablecoins and staking tokens. In total, 30 major thefts exceeding $1 million each contributed to the $171 million stolen in large-scale attacks.

To protect against wallet drainer threats, Scam Sniffer recommends users remain vigilant about unsolicited messages and only download apps from trusted sources. Security measures, including using up-to-date anti-malware tools and verifying transactions through different channels, are essential to safeguarding digital assets.