Detected a virus that is extremely dangerous for Android phones: there are practically no ways to protect yourself
The DoNot APT group, known for their attacks on Pakistani government officials and Kashmiri non-profit organizations, has started using Google’s own infrastructure to deliver their malicious payloads. Researchers at Cisco Talos have uncovered a new Android malware named DoNot Firestarter, which is being controlled using Google’s Firebase Cloud Messaging (Google FCM) infrastructure. According to the researchers, victims are tricked into installing a malicious software onto their Android devices, which then attempts to download a malicious payload. It appears that the group may be targetting specific devices, as the payload would download based on the information obtained from the infected device.
Essentially, the group can decide which devices will receive the payload, and that makes it more difficult for law enforcement or malware researchers to obtain the payload.
The malware would allow the DoNot APT group to essentially spy on affected devices, get their call logs and SMS, access to the address book, log keystrokes, get device, network and location information, etc.
What is interesting and quite alarming about Firestarter is that its operators are using Google’s Firebase Cloud Messaging to communicate with it. According to Cisco Talos, the group is hiding part of their traffic among legitimate traffic by encrypting and mixing their communication channel among communications performed by Android OS with Google’s infrastructure. What’s more, while the group still needs a command and control (C2) infrastructure, the hardcoded one is only necessary during installation. Essentially, they can easily replace it with another one. That means that if their C2 is taken down for whatever reason, they can instruct the infected device to contact a new C2.
“With this new tactic only Google has the capability to effectively stop the malware, since it’s the only institution that could disable the Google FCM mechanism on the victim’s device,” Cisco Talos has said.
It appears that the only way for users to protect themselves at this time is to block the installation of apps from unknown sources. It is very likely that users are tricked into installing the malware via direct messages, so users should be extremely cautious to not engage with such messages.
WiperSoft.com is not sponsored, affiliated, linked to or owned by malware developers or distributors that are referred to in this article. The article does NOT endorse or promote malicious programs. The intention behind it is to present useful information that will help users to detect and eliminate malware from their computer by using WiperSoft and/or the manual removal guide.
The article should only be used for educational purposes. If you follow the instructions provided in the article, you agree to be bound by this disclaimer. We do not guarantee that the article will aid you in completely removing the malware from your PC. Malicious programs are constantly developing, which is why it is not always easy or possible to clean the computer by using only the manual removal guide.