The cybersecurity researchers at Cisco Talos has discovered a new Android malware named DoNot Firestarter. In this malware, the threat actors apply Google’s own Firebase Cloud Messaging base to manage and convey malware to inexperienced users.
Hackers are using the Firebase Cloud Messaging (FCM), it is a cross-platform cloud solution for messages and notifications for Android, web applications, and iOS.
However, this kind of service are implemented by Firebase, it is a subsidiary of Google, and earlier, it has been grasped by the cybercriminals.
Also, this malware was hard to detect, that’s why they added that the DoNot Firestarter is explicitly being targeted towards government executives in Pakistan and NGOs that are operating in Kashmir.
This new DoNot malware is creating steps to research with all new procedures of delivery for their payloads. This malware uses all new legitimate services within Google’s infrastructure, which impersonates it harder for detection across a user’s network.
Rather than this, there are some new points regarding this malware, and here they are mentioned below:-
- The newly discovered Firestarter malware sends notifications of its final payload by using Google Firebase Cloud Messaging.
- The DoNot team can redirect the malware to different C2 just by using Google infrastructure; even if the command and control (C2) are being taken down.
- The final payload upload indicates a highly personalized targeting strategy.
How did it work?
In this new DoNot malware, the users are tempted to install an ill-disposed app on their mobile device. this ill-disposed app that includes all kinds of additional ill-disposed code.
This ill-disposed code tries to download a payload based on all negotiated device data. After performing this step, it assures that only specific devices are addressed the malicious payload.
In loader flow, the first execution implements a trick to make the victim accept no malicious install. However, the sequence that has been mentioned below shows what a user notices throughout the first execution.
After the uninstallation of messages are done, the icon gets removed from the UI; But here, the only way to expose the application is by reviewing the application list.
After reviewing the list, the user will notice an icon for the application that appears to be disabled, as mentioned above in the image.
According to the Talos report, the DoNot Team has much interest in India and Pakistan. However, the few Android applications’ filenames show the corresponding interest, for example, kashmir_sample.apk or Kashmir_Voice_v4.8.apk.
This new attack gives details to the same victimology, as usual, India, Pakistan, and the Kashmir crisis. The victims mainly belong to the non-profit organization and have end-users, and are mostly linked to this world’s area.
The malware that has been developed by the DoNot Team exerts the authority of the negotiated devices; And not only that even it supports all the standard features of a spying framework that are mentioned below:-
- Arrange the call history
- Get the address book
- Take the SMS
- Keyboard input
- Get records from the SD card
- Get user data
- Get network data
- Acquire the location of the device
- Get installed applications
- Get browser data
- Receive calendar information
- Arrange WhatsApp information
There is no doubt that hackers continue to innovate their services. However, the DoNot team has actively circumvented all its conventional methods of different components throughout this new part of malware.
The threat actors are trying to evade and disguise using Google platforms, as they used different configuration options to enable specially crafted features for their web server infrastructure. Later they ensured that they had backward adaptability with earlier versions of their malware.