FireScam Malware: Removal Guide and Prevention Tips

FireScam is a sophisticated piece of Android malware disguised as a fake Telegram Premium app. It targets Android devices by utilizing a dropper APK distributed via phishing websites. FireScam is designed to steal sensitive information, monitor user activities, and send stolen data to remote servers, leveraging Firebase—a legitimate cloud messaging service—for communication. This makes FireScam challenging to detect and eliminate. Immediate removal is essential to mitigate its impact.

---

What is FireScam?

FireScam is a highly malicious Android malware that uses advanced techniques to avoid detection and exfiltrate data. Distributed primarily through a fraudulent Telegram Premium app, FireScam infiltrates devices via social engineering tactics. Once installed, it operates stealthily, compromising privacy, stealing sensitive data, and potentially causing significant financial and personal damage.

---

FireScam in Detail

FireScam deploys a series of advanced methods to infiltrate devices and operate undetected:

1. Initial Infection and Evasion
   • Environment Check: Scans the device for virtual or controlled environments to bypass security checks.
   • Dynamic Adaptation: Adjusts its attacks based on the device’s model and system version.
2. Firebase Integration
   • Registers a service to manage Firebase push notifications.
   • Executes remote commands and delivers additional payloads upon receiving specific Firebase messages.
3. Data Theft
   • Accesses the Messages app to capture SMS content.
   • Monitors device activity, such as screen on/off events, and logs app interactions.
   • Steals sensitive data, including passwords, private messages, and autofill information.
4. Notification Monitoring
   • Tracks notifications from apps like Telegram, Viber, VK, WhatsApp, and more.
   • Ignores silent notifications but intercepts others to steal sensitive information.
5. E-commerce Activity Tracking: Monitors transactions, purchases, and refunds to gather payment and shopping data.
6. Image Downloading for Payload Delivery: Downloads images from specific URLs, potentially hiding malicious payloads within them.
7. Impact on Device Performance: Causes slower device performance, increased battery drain, and higher data usage.

---

Threat Summary

Attribute	Details
Name	FireScam Spyware
Threat Type	Android malware, malicious application, unwanted application.
Detection Names	Avast-Mobile (Android:Evo-gen [Trj]), Combo Cleaner (Android.Riskware.Kerty.aAGC), ESET-NOD32 (A Variant Of Android/Spy.Agent.DVZ), Kaspersky (HEUR:Trojan-Banker.AndroidOS.Mamont.bb).
Symptoms	Slow device performance, modified settings, questionable apps, increased data/battery usage, intrusive ads.
Damage	Stolen personal data, financial losses, identity theft, reduced device efficiency.
Distribution Methods	Social engineering, deceptive apps, phishing websites.
Danger Level	High

---

How to Remove FireScam Malware

Step 1: Identify Symptoms of Infection

Look for signs such as:

• Slow device performance
• Unexplained data usage
• Intrusive ads
• Unwanted apps
• Excessive battery drain
• Browser redirects

If you notice these symptoms, your device may be infected with FireScam.

Step 2: Boot into Safe Mode

Booting into Safe Mode disables third-party apps, including FireScam. To do this:

1. Hold the Power button.
2. Tap and hold Power Off until Reboot to Safe Mode appears.
3. Tap OK.

Step 3: Uninstall Suspicious Apps

1. Go to Settings > Apps > Manage Apps.
2. Uninstall any suspicious apps, especially ones you didn’t install intentionally.

Step 4: Disable Device Administrators

If FireScam has admin privileges, revoke them:

1. Go to Settings > Security > Device Administrators.
2. Disable suspicious apps and then uninstall them.

Step 5: Clear Cached and App Data

1. Go to Settings > Storage > Clear Cached Data.
2. For individual apps, go to Settings > Apps > [App Name] > Storage, then tap Clear Data and Clear Cache.

Step 6: Revoke Suspicious Permissions

Check app permissions and revoke any suspicious access:

1. Go to Settings > Privacy > Permissions.
2. Revoke permissions for untrusted apps.

Step 7: Perform a Factory Reset (If Necessary)

If FireScam persists, perform a factory reset:

1. Go to Settings > System > Reset > Factory Data Reset.
2. Confirm the reset (note: this will erase all data on your device).

Step 8: Update Your Device’s OS

After removing FireScam, check for updates:

1. Go to Settings > Software Updates.
2. Install any available updates to patch vulnerabilities.

---

Preventing Future Infections

Preventing malware infections requires a combination of caution and proactive measures:

1. Avoid Phishing Websites
   • Only download apps from trusted sources like the Google Play Store.
   • Be wary of links and attachments from unknown sources.
2. Check App Permissions
   • Monitor app permissions to ensure they are appropriate for the app’s function.
   • Revoke unnecessary permissions.
3. Use Security Software
   • Install reputable anti-malware software like SpyHunter.
   • Keep it updated to defend against the latest threats.
4. Keep Your Device Updated: Regularly update your Android OS to patch vulnerabilities.
5. Be Vigilant About Suspicious Activity: Watch for unusual device behavior, such as increased data usage or unfamiliar apps.
6. Regularly Backup Data: Maintain backups of important data to protect against potential losses.

---

Conclusion

FireScam is a dangerous Android malware that compromises user privacy and device functionality. Its advanced techniques, such as Firebase integration and notification monitoring, make it particularly harmful. Immediate removal with a reliable tool like SpyHunter is crucial to prevent data theft and other consequences. By following the preventive measures outlined above, users can reduce their risk of falling victim to similar threats in the future.