{"id":16679,"date":"2026-06-05T12:58:55","date_gmt":"2026-06-05T12:58:55","guid":{"rendered":"https:\/\/theandroidapk.com\/blog\/?p=16679"},"modified":"2026-06-05T12:58:59","modified_gmt":"2026-06-05T12:58:59","slug":"firescam-android-malware-disguised-as-telegram-app-steals-sensitive-data","status":"publish","type":"post","link":"https:\/\/theandroidapk.com\/blog\/firescam-android-malware-disguised-as-telegram-app-steals-sensitive-data\/","title":{"rendered":"FireScam Android Malware Disguised as Telegram App Steals Sensitive Data"},"content":{"rendered":"\n

FireScam is an Android info-stealer that pretends to be “Telegram Premium.” It spreads through a fake version of RuStore \u2014 Russia’s official app store \u2014 where victims download what looks like a free premium upgrade and actually install spyware. Once it’s on the phone it grabs almost everything: texts, contacts, call logs, location, files, clipboard and every notification that pops up (one-time passcodes included). The clever, nasty part is how it phones home \u2014 it routes stolen data<\/a> through Google’s own Firebase, so the traffic looks legitimate. If you only install apps from the Play Store and never grant Accessibility access to something claiming to be Telegram, you’re already most of the way to safe. iPhone users aren’t a target for the malware itself, though the phishing side can still bite \u2014 more on that near the end.<\/p>\n\n\n\n

What FireScam Actually Is and Why It’s Clever<\/h2>\n\n\n\n

Most phone malware is lazy. It grabs what it can and gets caught fast. FireScam isn’t that.<\/p>\n\n\n\n

It’s an information stealer \u2014 it’s whole job is to quietly siphon your data off the device and out to whoever’s running it. What sets it apart is the disguise and the plumbing. The disguise: it wears Telegram’s face, right down to the icon and the name, banking on the fact that you already trust that app and won’t look twice. The plumbing: instead of beaming your data to some sketchy server that a firewall would flag in a heartbeat, it pipes everything through Firebase<\/a>, Google’s legitimate cloud platform that thousands of real apps use every day. Your security software sees traffic going to Google. It shrugs. The data walks out the front door wearing a hi-vis jacket.<\/p>\n\n\n\n

It surfaced in late 2024, first aimed at Russian-speaking users. But here’s the thing worth sitting with \u2014 none of the machinery is tied to Russia. The fake store, the fake app, the lure: all of it clones in an afternoon into any language, any region. So treating this as “a Russia problem” misses the point entirely. The blueprint travels.<\/p>\n\n\n\n

\"What<\/figure>\n\n\n\n

The Fake RuStore Trick: How It Reaches Your Phone<\/h2>\n\n\n\n

Every part of this attack leans on one decision the victim makes: installing an app from outside the official store. Take that decision away and the whole thing collapses. So that’s exactly what the attackers engineer you into doing.<\/p>\n\n\n\n

It starts with a website. The attackers stand up a counterfeit RuStore<\/a> page \u2014 RuStore being the real, government-backed Russian app marketplace \u2014 and the fake is a close enough copy that a hurried glance won’t catch it. On that page sits the bait: “Telegram Premium,” free. No subscription, no payment, all the premium features you’d normally pay for. For a lot of people that’s an easy yes and that’s the entire trick. There’s no exploit here, no clever code breaking into your phone. Just a good-looking lie and a download button.<\/p>\n\n\n\n

What you actually get comes in two stages and the two-stage design is deliberate:<\/p>\n\n\n\n

    \n
  1. The dropper<\/strong> lands first \u2014 a small APK (reported under package names like com.tg.premium). It asks for almost nothing, because asking for a lot up front is what makes people hesitate. It’s only real job is to fetch the second piece. It’ll often dress this up as a “Telegram update” or a missing component, so the next install feels routine.<\/li>\n\n\n\n
  2. The payload<\/strong> is the real malware (reported as com.apps.tgpremium). This is the one wearing Telegram’s icon and name. Launch it once and it gets pushy \u2014 demanding permissions and above all pushing you to switch on Accessibility access through dialogs designed to look necessary. Grant that and it does something telling: it hides it’s own icon from your app drawer. Out of sight, running in the background, digging in for the long haul.<\/li>\n<\/ol>\n\n\n\n

    That icon-hiding moment is the line between “an app I installed” and “a thing I can’t see and won’t think about again.” Which is the point.<\/p>\n\n\n\n

    What Personal Data FireScam Steals<\/h2>\n\n\n\n
    \"What<\/figure>\n\n\n\n

    Short answer: nearly all of it. This isn’t a malware that’s after one specific thing \u2014 it’s after your whole digital life and it’s organised about collecting it.<\/p>\n\n\n\n

    Here’s what it pulls off an infected phone:<\/p>\n\n\n\n