Security News > 2020 > October > Firestarter Android Malware Abuses Google Firebase Cloud Messaging

An APT group is starting fires with a new Android malware loader, which uses a legitimate Google messaging service to bypass detection.

The malware, dubbed "Firestarter," is used by an APT threat group called "DoNot." DoNot uses Firebase Cloud Messaging, which is a cross-platform cloud solution for messages and notifications for Android, iOS and web applications.

These include an app server on which to build, target and send messages; and an iOS, Android, or web client app that receives messages via the corresponding platform-specific transport service.

The C2 then sends a Google FCM message containing the URL for the malware to download the payload. When the malware receives this message, it checks if it contains a key called "Link," and if that exists, it checks if it starts with "Https." It then uses the link to download the payload from a hosting server.

Of note, researchers said that the Google FCM communication channel is encrypted and mixed among other communications performed by Android OS using the Google infrastructure, which helps it escape notice.

News URL

https://threatpost.com/firestarter-android-malware-google-firebase-cloud/160800/