Malware Lifecycle

1. Malware poses as a legitimate Android application and tricks users to install it.
2. After the installation, the user’s identity and geolocation are sent to the C2, followed by the registration process whereby it obtains an FCM token.
3. An FCM token is generated and sent to the C2.
4. This FCM token is used to generate a malware link to download the payload. Threat actor uses details such as IP address, IMEI, email address, geolocation to decide which user should receive the payload.
5. Firestarter now receives the link to the payload from Google FCM’s messaging infrastructure and downloads it using “https” to communicate with the hosting server securely.

• Access call history
• Access address book
• Access SMSs
• Access files on the SD card
• Obtain user information
• Obtain network information
• Detect location of the device
• Access installed applications
• Steal browser information
• Steal calendar information
• Steal WhatsApp information
• Keylogging

Impact

Technical 

• Exfiltration of user data that comprises PII and credentials.
• Unauthorized access to PED (Personal Electronic Device) enabling command execution and filesystem access to the attacker.
• Leaking sensitive geographical information among other data like PII.

Business

• Attackers can use PEDs as an initial foothold to carry out espionage and other illicit activities targeting organizations and individuals.
• Malware can be used to further the attack into company infrastructure by stealing various user related sensitive data like emails, keylogs, messages, etc.

Mitigations

• Ensure user awareness and cyber security hygiene 
• Install mobile threat defense solutions/ EDRs

Indicators of Compromise

Filename

HASHES SHA2-256

Domain

IP Address