Firestarter Android Malware Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on Firestarter, created by DoNot APT, Android malware that abuses Google's Firebase Cloud Messaging
Updated on
April 19, 2023
Published on
November 2, 2020
Subscribe to the latest industry news, threats and resources.
Threat Actor Type
  Authored by DoNot APT group, Firestarter is a new innovative malware found in the wild, spreading across Android devices. DoNot is known for targeting Kashmiri, Pakistani organizations and officials. The malware uses Google’s Firebase Cloud Messaging (FCM) to disguise malicious traffic as a legitimate one, to evade detection. Command & Control (C2) is established using FCM and as a result, it is difficult to take down C2 even after its detection. This is because threat actors can instruct the device to connect to a new C2 using the same FCM infrastructure. Only Google can make necessary steps to thwart this malware’s operation.

Malware Lifecycle

  1. Malware poses as a legitimate Android application and tricks users to install it.
  2. After the installation, the user’s identity and geolocation are sent to the C2, followed by the registration process whereby it obtains an FCM token.
  3. An FCM token is generated and sent to the C2.
  4. This FCM token is used to generate a malware link to download the payload. Threat actor uses details such as IP address, IMEI, email address, geolocation to decide which user should receive the payload.
  5. Firestarter now receives the link to the payload from Google FCM’s messaging infrastructure and downloads it using “https” to communicate with the hosting server securely.
Once the payload is successfully executed, it activates malicious services on the victim's Android device. These are some malicious activities traced back to Firestarter:
  • Access call history
  • Access address book
  • Access SMSs
  • Access files on the SD card
  • Obtain user information
  • Obtain network information
  • Detect location of the device
  • Access installed applications
  • Steal browser information
  • Steal calendar information
  • Steal WhatsApp information
  • Keylogging


  • Exfiltration of user data that comprises PII and credentials.
  • Unauthorized access to PED (Personal Electronic Device) enabling command execution and filesystem access to the attacker.
  • Leaking sensitive geographical information among other data like PII.
  • Attackers can use PEDs as an initial foothold to carry out espionage and other illicit activities targeting organizations and individuals.
  • Malware can be used to further the attack into company infrastructure by stealing various user related sensitive data like emails, keylogs, messages, etc.


  • Ensure user awareness and cyber security hygiene 
  • Install mobile threat defense solutions/ EDRs

Indicators of Compromise

kashmir_sample.apk   Kashmir_Voice_v4.8.apk
b4c112d402c2555bea91d5c03763cfed87aa0fb0122558554c9a3bc7ac345990 69f257092947e003465f24b9b0b44d489e798bd5b8cf51f7e84bc161937b2e7c a5cfb2de4ca0f27b012cb9ae56ceacc2351c9b9f16418406edee5e45d1834650 d0a597a24f9951a5d2e7cc71702d01f63ff2b914a9585dbab5a77c69af5d60b5 e7a24751bc009bbd917df71fd4815d1483f52669e8791c95de2f44871c36f7f4 86194d9cb948d61da919e238c48a01694c92836a89c6108730f5684129830541 8770515a5e974a59f023c4c71b0c772299578f1e386f60f9dd203b64e2e2d92e a074aa746a420a79a38e27b766d122e8340f81221fe011f644d84ff9b511f29a 3d3f61d5406149fd8f2c018fbc842ccef2f645fc22f4e5702368131c1bd4e560 3d40fdc4dc550394884f0b4e38aa8a448f91f8e935c1b51fedc4b71394fa2366 83d174c65f1c301164683c163dab3ea79d56caeda1a4379a5a055723e1cb9d00 0c2494c03f07f891c67bb31390c12c84b0bb5eea132821c0873db7a87f27ccef b583ae22c9022fb71b06ec1bae58d0d40338432b47d5733bf550972c5cb627c4 c4971a65af3693896fdbb02f460848b354251b28067873c043366593b8dbc6f9 fa85813a90a2d0b3fc5708df2156381fdb168919b57e32f81249f8812b20e00a fde7ca904d9ae72ea7e242ee31f7fbaee963937341ca2863d483300828a4c6e0 0c2494c03f07f891c67bb31390c12c84b0bb5eea132821c0873db7a87f27ccef 192f699e6ce2cccb2c78397392f4d85566892d9c8cf7de1175feb4d58f97d815 e8605854c8730d2e80d8a5edd8bc83eb7c397a700255754ec9140b9717f7d467 2481f133dd3594cbf18859b72faa391a4b34fd5b4261b26383242c756489bf07 0c2494c03f07f891c67bb31390c12c84b0bb5eea132821c0873db7a87f27ccef
bulk[.]fun inapturst[.]top seahome[.]top fif0[.]top apkv6.endurecif[.]top
IP Address

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations