Malware |
Firestarter |
Author |
DoNot |
Threat Actor Type |
APT |
Platform |
Android |
Malware Lifecycle
- Malware poses as a legitimate Android application and tricks users to install it.
- After the installation, the user’s identity and geolocation are sent to the C2, followed by the registration process whereby it obtains an FCM token.
- An FCM token is generated and sent to the C2.
- This FCM token is used to generate a malware link to download the payload. Threat actor uses details such as IP address, IMEI, email address, geolocation to decide which user should receive the payload.
- Firestarter now receives the link to the payload from Google FCM’s messaging infrastructure and downloads it using “https” to communicate with the hosting server securely.
- Access call history
- Access address book
- Access SMSs
- Access files on the SD card
- Obtain user information
- Obtain network information
- Detect location of the device
- Access installed applications
- Steal browser information
- Steal calendar information
- Steal WhatsApp information
- Keylogging
Impact
Technical
- Exfiltration of user data that comprises PII and credentials.
- Unauthorized access to PED (Personal Electronic Device) enabling command execution and filesystem access to the attacker.
- Leaking sensitive geographical information among other data like PII.
Business
- Attackers can use PEDs as an initial foothold to carry out espionage and other illicit activities targeting organizations and individuals.
- Malware can be used to further the attack into company infrastructure by stealing various user related sensitive data like emails, keylogs, messages, etc.
Mitigations
- Ensure user awareness and cyber security hygiene
- Install mobile threat defense solutions/ EDRs