Firestarter ... a new Android malware |
The hacking group (DoNot) used Google's legitimate email service to bypass the discovery and used a new tool called Firestarter to download malware for Android.
DoNot uses a cross-platform messaging and notification solution for Android and iOS platforms and Web Applications (FCM) provided by Firebase, a subsidiary of Google.
Firestarter uses Cloud Solutions (FCM) as a mechanism to connect to DoNot's C2 server, and avoid group activity detection.
Cisco Talos researchers said: Our research shows that DoNot is testing a new technology to keep your foot in the victim's device.
They added: These experiences indicate that the organization is determined to continue its activities despite its weaknesses, which makes operations in the spying areas particularly dangerous.
DoNot focuses on India and Pakistan and targets Pakistani government officials and nonprofits in Kashmir.
The researcher said: Encouraging users to install malicious applications on their devices. This will likely be done through direct messaging using social engineering.
Once the app is opened (supposedly a chat platform), the user receives a message saying that the chat room has been loaded, the app is not supported and the uninstall process is in progress.
Once the uninstall message appears, the icon will be removed from the user interface, although the icon still appears in the phone's settings app list.
In the background, malicious apps are trying to download icons with FCM solutions.
According to Firebase, FCM implementation consists of two main components for sending and receiving messages.
This includes an application server with which you can create, search, and send messages. Receive news on iOS, Android, or web app.
The malicious app sends the FCM code to the C2 server along with various device information including: geographic location, IP address, IMEI and the victim's email address to indicate that the victim should receive the code.