How FireScam Disguises Itself as Telegram Premium to Attack Android: In-Depth Analysis and Current Tips

  • FireScam uses highly convincing phishing pages that mimic platforms like RuStore and Telegram Premium to trick Android users.
  • The malware requests broad permissions and initiates a massive exfiltration of personal data, from messages to banking credentials, through real-time connections to services like Firebase.
  • Its ability to evade detection, control updates, and install other malware makes it one of the most advanced Android threats today.
Joaquin Romero

8 minutes

FireScam Malware Telegram Premium

In recent months, the cybersecurity community has focused on a sophisticated new malware targeting Android devices: FireScamThis malicious software has surprised experts and users with its ability to camouflaging itself as the supposed "premium" version of Telegram, one of the most popular messaging apps in the world. The goal? To steal personal and financial information and maintain control of the compromised device without the user suspecting anything.

The danger of FireScam lies in its social engineering, the effectiveness of its distribution methods, and the way it exploits the trust of those seeking exclusive features or free versions of popular apps. In this article, we'll tell you about Everything you need to know about how FireScam works, camouflage techniques, the real risks and how to effectively protect yourself if you use an Android mobile.

What is FireScam and how does it trick Android users?

FireScam It is a malware that began to be detected at the end of 2024 and has gained notoriety in early 2025 for its ability to pretend to be the Telegram Premium appThe growing interest in modified or advanced versions of Telegram, coupled with the emergence of alternative app stores in Russia following Western sanctions, has created the perfect environment for this scam.

SuperCard
Related article:
New Android malware that copies NFC cards

Cybercriminals have developed fraudulent websites that perfectly imitate platforms such as RuStore (an alternative Russian app marketplace) and Telegram itself. These pages are hosted on trusted domains like GitHub.io, which increases the sense of legitimacy and makes any unwary user lower their guard.

The hook is irresistible: a supposedly free "premium" version of Telegram, with exclusive features and no ads. The attackers encourage you to download an APK file called GetAppsRu.apk. However, far from obtaining an improvement of the application, the user installs a drop (program that delivers the main malicious payload) that initiates a chain of actions aimed at data theft and continuous control of the device.

What is FireScam malware?

Phases of infection: from dropper to complete control

FireScam infection is not a random occurrence; the developers have designed a multi-stage process which makes it difficult for antivirus and security experts to detect.

  • Initial access: The user downloads the APK from a page that imitates RuStore or Telegram Premium, believing it to be a reliable source.
  • Installing the dropper: The APK works as a dropper or "vehicle", delivering the main payload after requesting very broad permissions (access to notifications, storage, installing/updating/deleting apps, call and message logs, etc.).
  • Persistence and control: The dropper designates itself as the owner of the updates, using the permission ENFORCE_UPDATE_OWNERSHIP Android. This prevents the user from updating the app from other sources, ensuring that the malicious version is permanent unless further manual intervention is required.
  • Cloud Connection: Through Firebase Realtime Database and WebSocket channels, the malware begins to transfer data in real time to the attackers' servers and can receive remote commands (updates, additional malware downloads, spying instructions, etc.).

What information does FireScam steal and how does it use it?

Once installed, FireScam performs constant surveillance on almost all sensitive areas of the device.. Among the data it accesses and steals are:

  • App notifications: Read and copy notification content, including messaging, email, and banking apps.
  • SMS messages: Intercepts text messages, verification codes, private communications, and more.
  • Call logs and contacts: View contact lists, phone numbers, and all incoming and outgoing call activity.
  • Clipboard data: Access copied and pasted information, from passwords to snippets of banking data or sensitive information from other applications.
  • Application activity: It knows which apps are open at any given time, monitors usage, and monitors screen state changes (on/off, locks, unlocks). It can even log which app is active and for how long, allowing attackers to fine-tune their attacks or spy on usage habits.
  • Financial transactions and online purchases: Collects payment details, purchase records, and can intercept card and bank credential data by monitoring banking and payment-related apps and clipboards.

One of the most worrying features is that, When opening the supposed Telegram Premium app, a WebView screen identical to the official login screen is displayed.. If the user enters his or her data, the credentials are stolen, but even if you don't log in, the malware immediately begins exfiltrating data in the background.

All of this data goes into a cloud database (Firebase) managed by the attackers. Temporary files and logs are then quickly leaked and deleted, hampering the work of security analysts and complicating the tracking of operations once the victim becomes aware of the attack.

Evasion techniques, persistence, and advanced malware capabilities

We are not dealing with just any malware. FireScam is characterized by its advanced evasion and control techniques., among which stand:

  • Code obfuscation and anti-analysis: The malware is designed to hide its operation from automated analysis and sandboxes, making life difficult for researchers and antivirus engines.
  • Real-time monitoring and remote commands: keeps the communication channel active using Firebase Cloud Messaging (FCM) to receive remote instructions, which increases its danger if attackers decide to download more malware or modify behaviors depending on the compromised device.
  • Control of legitimate updates: Thanks to the special permission it assumes as "update owner," it blocks updates from other sources that could eliminate malware, ensuring virtually indefinite persistence unless completely deleted using advanced options.
  • Ability to download and process images from URLs: This suggests potential for content analysis, steganography, or the deployment of new malicious payloads disguised as harmless images.

Additionally, some FireScam variants can register the device in the cloud with a unique identifier, facilitating the management of large networks of infected devices and the centralized administration of attack campaigns.

International distribution: Does it only affect Russia or does it have a global reach?

If you're wondering whether FireScam is a threat only to Russian users, the answer is clear: its reach is globalAlthough initial distribution has focused on imitating RuStore (a Russian platform that emerged after Google Play left that country), the domains used are hosted on widely used services such as GitHub.io, and the malicious pages can be shared via SMS, malvertising, or social media to users anywhere in the world.

The phishing campaigns and social engineering know no boundaries. In fact, the promise of free "premium" versions or improved Telegram apps is a global temptation, especially among young people or those who want to avoid paying in official stores.

The attack is so sophisticated that even Cyfirma experts acknowledge that The exact method used to attract users to malicious links is still unclear., although they suspect a variety of strategies: from text messages with misleading links to ads on websites of dubious reputation or messages on instant messaging platforms.

Protect your Fire TV and Google TV from malware: key tips
Related article:
A Comprehensive Guide to Protecting Fire TV and Google TV from Malware and Online Threats

Recommendations and prevention: How to protect yourself from FireScam and similar malware

The best defense against FireScam, as against most Android threats, is to prevention and common senseHere are the most effective tips and measures:

  • Always download apps from official stores: Google Play and the App Store are much safer than any alternative website, no matter how trustworthy it may seem. Absolutely avoid installing APKs from unknown or dubious sources.
  • Be wary of promises of premium versions or free paid apps: If a paid app is offered for free through unofficial channels, it's most likely a scam.
  • Check permissions before installing any app: If an app requests access to notifications, SMS, storage, contacts, or banking data without reasonable cause, be immediately suspicious.
  • Keep your operating system and apps updated: Frequent updates fix security holes and reduce the risk of infection.
  • Use a reliable and updated antivirus: Although FireScam employs techniques to evade detection, a modern antivirus solution can add an important layer of protection.
  • Avoid clicking on links in unverified messages: Don't click on links sent via text messages, emails, or social media messages that promise attractive apps or promotions.
  • Have a recovery plan: If you think your device has been infected, change all your passwords, disconnect linked accounts, and consider restoring your phone to its factory settings after backing up only essential data.
Android attacked by malware
Related article:
SpyLend: This is how the extortion malware targeting Android users works.

With this information, you'll be able to learn more about FireScam and how it operates. Avoid scams and prevent this malware from spreading to other devices. Share the information and more people will know about the topic..