New Android malware uses Google Firebase Cloud Messaging to infect devices
Cisco Talos cyber threat researchers have detected a new malware called DoNot Firestarter on Android. Hackers use Google’s unique Firebase Cloud Messaging infrastructure to control malware and deliver it to unsuspecting users.
According to the researchers, Google’s infrastructure allows hackers to hide malware in real-world Internet traffic and locate it in a personalized way. This makes it difficult to detect malware. They added that DoNot Firestarter specifically targets Pakistani government officials and NGOs operating in Kashmir.
The DoNot Firestarter loader is hidden in the application. When the user installs, the malware will infect the user's smartphone. After running the application, the loader will execute other codes based on the device information to download the payload.
The app sends device data (including personal and geographic information) to DoNot's command center. This data can help hackers identify users and determine whether to infect their devices with payloads. Cisco Talos researchers use Google FCM, which allows the loader application to receive the malicious software package sent from the DoNot Command Center in the form of a link and run the infected application to enable hackers to access their device. It says it can be done.
They said that even if the command center is closed, Google FCM access will allow the group to use another command center to infect the device. This makes it very difficult to unload the loader.
The researchers said that the only way to neutralize the malware is for Google to intervene and delete the infected FCM account and the command center. Researchers have not yet released a list of the first infected applications.
0 Comments