Security News > 2020 > October > Firestarter Android Malware Abuses Google Firebase Cloud Messaging

An APT group is starting fires with a new Android malware loader, which uses a legitimate Google messaging service to bypass detection.
The malware, dubbed "Firestarter," is used by an APT threat group called "DoNot." DoNot uses Firebase Cloud Messaging, which is a cross-platform cloud solution for messages and notifications for Android, iOS and web applications.
These include an app server on which to build, target and send messages; and an iOS, Android, or web client app that receives messages via the corresponding platform-specific transport service.
The C2 then sends a Google FCM message containing the URL for the malware to download the payload. When the malware receives this message, it checks if it contains a key called "Link," and if that exists, it checks if it starts with "Https." It then uses the link to download the payload from a hosting server.
Of note, researchers said that the Google FCM communication channel is encrypted and mixed among other communications performed by Android OS using the Google infrastructure, which helps it escape notice.
News URL
https://threatpost.com/firestarter-android-malware-google-firebase-cloud/160800/
Related news
- New North Korean Android spyware slips onto Google Play (source)
- North Korea’s ScarCruft Deploys KoSpy Malware, Spying on Android Users via Fake Utility Apps (source)
- Google Acquires Wiz for $32 Billion in Its Biggest Deal Ever to Boost Cloud Security (source)
- Google to purchase Wiz for $32 billion in cloud security play (source)
- Malicious Android 'Vapor' apps on Google Play installed 60 million times (source)
- Google Gemini's Astra (screen sharing) rolls out on Android for some users (source)
- New Android malware uses Microsoft’s .NET MAUI to evade detection (source)
- APT36 Spoofs India Post Website to Infect Windows and Android Users with Malware (source)
- Android Malware Exploits a Microsoft-Related Security Blind Spot to Avoid Detection (source)
- New Crocodilus malware steals Android users’ crypto wallet keys (source)