FireScam¶
FireScam is an Android information stealer discovered by CYFIRMA in January 2025 that masquerades as a Telegram Premium application. The malware is distributed through a phishing page impersonating RuStore, Russia's domestic app store launched after Western sanctions led to the removal of major apps from the Russian Google Play Store. FireScam leverages Google Firebase for both C2 configuration delivery and real-time data exfiltration, using Firebase's real-time database as a staging area for stolen data. The malware intercepts notifications across all applications, captures clipboard contents, monitors e-commerce transactions, and exfiltrates credentials, messaging data, and device information. Its targeting of Russian-speaking users through a fake RuStore page positions it as a threat specifically calibrated for the post-sanctions Russian mobile ecosystem.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | January 2025 |
| Status | Active |
| Type | Information stealer, spyware |
| Aliases | None known |
| Attribution | Unknown |
| Distribution | Fake RuStore phishing page, Telegram Premium lure |
Origin and Lineage¶
CYFIRMA published their analysis in January 2025, documenting FireScam as a newly discovered Android threat with no known lineage to existing malware families. The choice of RuStore as a distribution vector and Telegram Premium as the lure application suggests an operator with specific knowledge of the Russian mobile ecosystem and user behavior patterns.
RuStore was launched in 2022 by Russian internet company VK (formerly Mail.ru Group) as an alternative app store after Google restricted access to Google Play for Russian users and many Western app developers withdrew from the Russian market. Russian users who adopted RuStore are accustomed to sideloading apps from alternative sources, making them more susceptible to phishing pages that replicate the RuStore interface. The Telegram Premium lure exploits the platform's massive popularity in Russia, where Telegram serves as a primary communication channel for both personal and business use.
Distribution¶
| Vector | Details |
|---|---|
| Fake RuStore page | Phishing website replicating Russia's RuStore app marketplace |
| Telegram Premium lure | Malware disguised as the premium version of Telegram |
Attack Flow¶
- The victim visits a phishing page designed to look like the RuStore app store
- The page presents a fake "Telegram Premium" application for download
- The victim downloads and installs a dropper APK from the phishing page
- The dropper requests storage and package installation permissions
- The dropper extracts and installs the main FireScam payload
- FireScam requests extensive permissions including notification access, clipboard monitoring, and SMS access
- A fake Telegram login screen captures the victim's credentials
- FireScam establishes communication with Firebase infrastructure for C2 and data exfiltration
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Notification interception | Monitors and captures notifications from all applications on the device |
| Clipboard monitoring | Continuously captures clipboard contents, including copied passwords and tokens |
| E-commerce monitoring | Tracks e-commerce transactions and captures financial data from shopping apps |
| Credential theft | Fake Telegram login screen harvests credentials at install time |
| SMS collection | Reads and exfiltrates text messages |
| Contact exfiltration | Harvests the device contact list |
| Call log harvesting | Extracts call history |
| Device profiling | Collects device model, OS version, storage information, and installed apps |
Notification Interception¶
FireScam's notification interception captures data from every application on the device. This includes messaging apps, email clients, banking apps, and authentication tools. By reading notification content, the malware can harvest one-time passwords (OTPs), two-factor authentication codes, message previews, and transaction alerts without needing to directly compromise each individual application.
E-Commerce Monitoring¶
FireScam specifically monitors e-commerce application activity, capturing transaction details, payment information, and purchase history. This targeted capability suggests the operators are interested in financial data beyond what traditional banking trojans collect through overlay attacks, focusing instead on the broader spectrum of digital commerce activity.
Technical Details¶
Firebase Infrastructure¶
FireScam's most distinctive technical characteristic is its reliance on Google Firebase as core infrastructure. The malware uses Firebase in two roles:
| Firebase Function | Purpose |
|---|---|
| C2 configuration | Delivers operational parameters and commands to the implant |
| Real-time database | Serves as a staging area for exfiltrated data before operator retrieval |
Using Firebase provides several operational advantages. Firebase traffic is directed to Google-owned domains, making it indistinguishable from legitimate app traffic at the network level. Firebase's real-time database functionality allows the malware to continuously stream stolen data without maintaining a dedicated C2 server. This reduces the infrastructure footprint the operator must manage and eliminates a traditional indicator of compromise (a suspicious C2 domain).
This Firebase-centric approach shares architectural similarities with KoSpy, which uses Firebase Firestore for C2 configuration delivery. However, FireScam takes the Firebase dependency further by also using the real-time database for data exfiltration, whereas KoSpy switches to a dedicated C2 server for ongoing communication and data collection.
Dropper Mechanism¶
FireScam uses a two-stage installation process. The initial APK downloaded from the fake RuStore page functions as a dropper that extracts and installs the main payload. This separation allows the dropper to appear relatively benign during initial analysis, with the bulk of malicious functionality contained in the second-stage payload.
Permissions¶
| Permission | Purpose |
|---|---|
| BIND_NOTIFICATION_LISTENER_SERVICE | Intercept all push notifications for OTP and credential harvesting |
| READ_SMS | Read SMS messages |
| RECEIVE_SMS | Intercept incoming SMS |
| READ_CONTACTS | Exfiltrate contact list |
| READ_CALL_LOG | Extract call history |
| READ_EXTERNAL_STORAGE | Access files on device storage |
| READ_PHONE_STATE | Device profiling |
| INTERNET | Firebase C2 communication and data exfiltration |
| REQUEST_INSTALL_PACKAGES | Dropper installs main payload |
Target Regions¶
| Region | Details |
|---|---|
| Russia | Primary target: Russian-speaking users who use RuStore and Telegram |
The fake RuStore distribution page, Telegram Premium lure, and Russian-language interface collectively confirm that FireScam is designed specifically for Russian-speaking victims. The post-sanctions Russian mobile ecosystem, where sideloading from alternative stores has become normalized, creates an environment where users are more likely to download apps from unfamiliar sources.
Notable Campaigns¶
January 2025: CYFIRMA disclosed FireScam after discovering the phishing page impersonating RuStore and distributing a fake Telegram Premium application. The analysis documented the Firebase-based C2 and exfiltration architecture, notification interception capabilities, and e-commerce monitoring. The campaign specifically targets Russian-speaking users navigating the alternative app store ecosystem that emerged after Western sanctions.
Related Families¶
| Family | Relationship |
|---|---|
| KoSpy | Both use Google Firebase infrastructure for C2 configuration delivery, leveraging legitimate Google services to blend malicious traffic with normal app behavior. KoSpy uses Firebase Firestore for configuration and a separate C2 for data collection, while FireScam uses Firebase for both configuration and data exfiltration. |
| SpyNote | Both are Android surveillance tools that intercept notifications, capture credentials, and exfiltrate device data. SpyNote operates as a commodity RAT builder with a broad operator base, while FireScam is a focused information stealer targeting the Russian mobile ecosystem through a specific distribution chain. |