Security News > 2020 > October > Firestarter Android Malware Abuses Google Firebase Cloud Messaging

An APT group is starting fires with a new Android malware loader, which uses a legitimate Google messaging service to bypass detection.
The malware, dubbed "Firestarter," is used by an APT threat group called "DoNot." DoNot uses Firebase Cloud Messaging, which is a cross-platform cloud solution for messages and notifications for Android, iOS and web applications.
These include an app server on which to build, target and send messages; and an iOS, Android, or web client app that receives messages via the corresponding platform-specific transport service.
The C2 then sends a Google FCM message containing the URL for the malware to download the payload. When the malware receives this message, it checks if it contains a key called "Link," and if that exists, it checks if it starts with "Https." It then uses the link to download the payload from a hosting server.
Of note, researchers said that the Google FCM communication channel is encrypted and mixed among other communications performed by Android OS using the Google infrastructure, which helps it escape notice.
News URL
https://threatpost.com/firestarter-android-malware-google-firebase-cloud/160800/
Related news
- New Crocodilus malware steals Android users’ crypto wallet keys (source)
- Google Fixed Cloud Run Vulnerability Allowing Unauthorized Image Access via IAM Misuse (source)
- Counterfeit Android devices found preloaded With Triada malware (source)
- Triada Malware Preloaded on Counterfeit Android Phones Infects 2,600+ Devices (source)
- Google fixes Android zero-days exploited in attacks, 60 other flaws (source)
- Google Releases Android Update to Patch Two Actively Exploited Vulnerabilities (source)
- Google's got a hot cloud infosec startup, a new unified platform — and its eye on Microsoft's $20B+ security biz (source)
- SpyNote, BadBazaar, MOONSHINE Malware Target Android and iOS Users via Fake Apps (source)
- Google adds Android auto-reboot to block forensic data extractions (source)
- New Android malware steals your credit cards for NFC relay attacks (source)