Firestarter Android Malware Abuses Google Firebase Cloud Messaging

  • The DoNot APT threat group is leveraging the authentic Google Firebase Cloud Messaging server as a command-and-command (C2) communication system.

    An APT team is commencing fires with a new Android malware loader, which employs a authentic Google messaging assistance to bypass detection.

    The malware, dubbed “Firestarter,” is utilised by an APT menace group referred to as “DoNot.” DoNot employs Firebase Cloud Messaging (FCM), which is a cross-system cloud answer for messages and notifications for Android, iOS and web apps. The assistance is presented by Firebase, a subsidiary of Google, and has been earlier leveraged by cybercriminals.

    In this situation, the loader works by using it as a interaction mechanism to join with DoNot’s command-and-regulate (C2) servers, helping the group’s actions steer clear of detection.

    “Our investigate exposed that DoNot has been experimenting with new methods to retain a foothold on their target equipment,” in accordance to researchers with Cisco Talos in a Thursday assessment. “These experiments, substantiated in the Firestarter loader, are a signal of how determined they are to preserve their functions even with becoming uncovered, which will make them a particularly dangerous actor working in the espionage space.”

    The DoNot team carries on to target on India and Pakistan, and is identified for focusing on Pakistani authorities officers and Kashmiri non-financial gain companies (Kashmiris are a Dardic ethnic group indigenous to the disputed Kashmir Valley).

    Users are lured to set up a destructive app on their mobile product, very likely finished through direct messages that use social engineering, researchers mentioned. The filename of these Android apps (kashmir_sample.apk or Kashmir_Voice_v4.8.apk) demonstrate ongoing fascination in India, Pakistan and the Kashmir disaster.

    When the app — which purports to be a chat platform — is downloaded and opened, people obtain a message that chats are continuously loading, and that the application is not supported, and that uninstallation is in progress. This is a lure to make the sufferer believe that that there was no malicious put in, scientists said. After the message of uninstallation is revealed, the icon is eradicated from the user interface (though it nonetheless reveals in the software list in the phone’s configurations).

    The malicious application purports to uninstall just after download. Credit history: Cisco Talos

    In the background, however, the malicious app is making an attempt to down load a payload using FCM.

    According to Firebase, an FCM implementation incorporates two principal parts for sending and receiving messages. These include things like an application server on which to construct, focus on and ship messages and an iOS, Android, or web (JavaScript) consumer app that receives messages by means of the corresponding system-certain transport provider.

    In this case, the application sends the C2 server a Google FCM token with various unit facts – such as the geographic place, IP tackle, IMEI and email address from the victims – which then allows operators to choose whether the victim should receive the payload. This ensures that only pretty specific devices are sent the destructive payload, scientists mentioned.

    The C2 then sends a Google FCM information that contains the URL for the malware to obtain the payload. When the malware receives this concept, it checks if it contains a essential named “link,” and if that exists, it checks if it begins with “https.” It then employs the link to down load the payload from a hosting server.

    Of be aware, researchers stated that the Google FCM conversation channel is encrypted and combined among the other communications done by Android OS using the Google infrastructure, which can help it escape notice.

    “DoNot staff is hiding aspect of their website traffic among the authentic traffic,” stated researchers. “Even while the destructive actors however need to have a [C2] infrastructure, the hardcoded one is only required at installation time, later on it can be discarded and very easily replaced by a different just one. Therefore, if their C2 is taken down by regulation enforcement or considered malicious, they can even now accessibility the victim’s device and instruct it to contact a new C2.”

    DoNot’s Firestarter malware attack vector. Credit rating: Cisco Talos

    The remaining payload, meanwhile, is not embedded in the Android software, making it unachievable for analysts to dissect it.

    “This solution also tends to make detection a lot more challenging,” they mentioned. “The application is a loader with a fake person interface that manipulates the focus on following setting up it.”

    Hackers Place Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are having hammered by ransomware attacks in 2020. Save your location for this Absolutely free webinaron healthcare cybersecurity priorities and hear from major security voices on how data security, ransomware and patching have to have to be a priority for each individual sector, and why. Sign up for us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, confined-engagement webinar.