Authored by DoNot APT group, Firestarter is a new innovative malware found in the wild, spreading across Android devices. DoNot is known for targeting Kashmiri, Pakistani organizations and officials.
The malware uses Google’s Firebase Cloud Messaging (FCM) to disguise malicious traffic as a legitimate one, to evade detection.
Command & Control (C2) is established using FCM and as a result, it is difficult to take down C2 even after its detection. This is because threat actors can instruct the device to connect to a new C2 using the same FCM infrastructure. Only Google can make necessary steps to thwart this malware’s operation.
Threat Actor Type
Once the payload is successfully executed, it activates malicious services on the victim's Android device. These are some malicious activities traced back to Firestarter:
- Malware poses as a legitimate Android application and tricks users to install it.
- After the installation, the user’s identity and geolocation are sent to the C2, followed by the registration process whereby it obtains an FCM token.
- An FCM token is generated and sent to the C2.
- This FCM token is used to generate a malware link to download the payload.
Threat actor uses details such as IP address, IMEI, email address, geolocation to decide which user should receive the payload.
- Firestarter now receives the link to the payload from Google FCM’s messaging infrastructure and downloads it using “https” to communicate with the hosting server securely.
- Access call history
- Access address book
- Access SMSs
- Access files on the SD card
- Obtain user information
- Obtain network information
- Detect location of the device
- Access installed applications
- Steal browser information
- Steal calendar information
- Steal WhatsApp information
- Exfiltration of user data that comprises PII and credentials.
- Unauthorized access to PED (Personal Electronic Device) enabling command execution and filesystem access to the attacker.
- Leaking sensitive geographical information among other data like PII.
- Attackers can use PEDs as an initial foothold to carry out espionage and other illicit activities targeting organizations and individuals.
- Malware can be used to further the attack into company infrastructure by stealing various user related sensitive data like emails, keylogs, messages, etc.
- Ensure user awareness and cyber security hygiene
- Install mobile threat defense solutions/ EDRs
Indicators of Compromise