Now this malicious app contains additional malicious code that attempts to download a payload based on information obtained from the compromised device.Īfter getting the Google FMC token (Step 1) the operators have everything they need to send the Google FMC message containing the URL for the malware to download, geographic location, IP address, IMEI, and email address from the victims, allowing them to decide which victims should receive the payload.
In the background, however, the malicious app is attempting to download a payload using FCM. Once the message of uninstallation is shown, the icon is removed from the user interface. This is often a lure to make the victim believe that there was no malicious install, researchers said. Once the app, which purports to be a chat platform is downloaded and opened, users receive a message that chats are continually loading, the application is not supported, and uninstallation is ongoing (as shown in the sequence below). The filename of those Android applications (kashmir_sample.apk or Kashmir_Voice_v4.8.apk) shows continued interest in India, Pakistan, and the Kashmir crisis.
Users are tempted to install a malicious app on their mobile device, likely done via direct messages that utilize social engineering, researchers said. They are using a legitimate service within Google’s infrastructure which makes it harder for detection across users’ networks. The DoNot APT group is making strides to experiment with new methods of delivery for their payloads. The service is provided by Firebase, a subsidiary of Google, and has been previously leveraged by cybercriminals. DoNot uses Firebase Cloud Messaging (FCM), a cross-platform cloud solution for messages and notifications for Android, iOS, and web applications, which currently can be used at no cost.
The ‘Firestarter’ malware is used by an APT threat group called “DoNot”.
0 kommentar(er)
