Firestarter Android Malware Abuses Google Firebase Cloud Messaging

  • Lindsey O'
  • published date: 2020-10-30 16:29:00 UTC

The DoNot APT threat group is leveraging the legitimate Google Firebase Cloud Messaging server as a command-and-control (C2) communication mechanism.

<div class="c-article__content js-reading-content"> <p>An APT group is starting fires with a new Android malware loader, which uses a legitimate Google messaging service to bypass detection.</p> <p>The malware, dubbed “Firestarter,” is used by an <a href="" target="_blank" rel="noopener noreferrer">APT threat group called “DoNot.”</a> DoNot uses Firebase Cloud Messaging (FCM), which is a cross-platform cloud solution for messages and notifications for Android, iOS and web applications. The service is provided by Firebase, a subsidiary of Google, and <a href="" target="_blank" rel="noopener noreferrer">has been previously leveraged by</a> cybercriminals.</p> <p>In this case, the loader uses it as a communication mechanism to connect with DoNot’s command-and-control (C2) servers, helping the group’s activities avoid detection.</p> <p><a href=""><img loading="lazy" class="aligncenter wp-image-141989 size-full" src="" alt="" width="700" height="50"></a></p> <p>“Our research revealed that DoNot has been experimenting with new techniques to keep a foothold on their victim machines,” according to researchers with Cisco Talos <a href="" target="_blank" rel="noopener noreferrer">in a Thursday analysis</a>. “These experiments, substantiated in the Firestarter loader, are a sign of how determined they are to keep their operations despite being exposed, which makes them a particularly dangerous actor operating in the espionage area.”</p> <p> </p> <p>The DoNot team continues to focus on India and Pakistan, and is known for targeting Pakistani government officials and Kashmiri non-profit organizations (Kashmiris are a Dardic ethnic group native to the disputed Kashmir Valley).</p> <div class="c-video-container"><iframe title="DoNot Firestarter: An Android Malware Loader" width="500" height="281" src="" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></div> <p> </p> <p>Users are lured to install a malicious app on their mobile device, likely done via direct messages that utilize social engineering, researchers said. The filename of these Android applications (kashmir_sample.apk or Kashmir_Voice_v4.8.apk) show continued interest in India, Pakistan <a href="" target="_blank" rel="noopener noreferrer">and the Kashmir crisis</a>.</p> <p>Once the app — which purports to be a chat platform — is downloaded and opened, users receive a message that chats are continually loading, and that the application is not supported, and that uninstallation is in progress. This is a lure to make the victim believe that there was no malicious install, researchers said. Once the message of uninstallation is shown, the icon is removed from the user interface (though it still shows in the application list in the phone’s settings).</p> <div id="attachment_160802" style="width: 174px" class="wp-caption alignleft"><a href=""><img aria-describedby="caption-attachment-160802" loading="lazy" class="wp-image-160802" src="" alt="DoNot APT" width="164" height="291"></a><p id="caption-attachment-160802" class="wp-caption-text">The malicious app purports to uninstall after download. Credit: Cisco Talos</p></div> <p>In the background, however, the malicious app is attempting to download a payload using FCM.</p> <p>According to Firebase, an FCM implementation includes two main components for sending and receiving messages. These include an app server on which to build, target and send messages; and an iOS, Android, or web (JavaScript) client app that receives messages via the corresponding platform-specific transport service.</p> <p>In this case, the app sends the C2 server a Google FCM token with various device info – including the geographic location, IP address, IMEI and email address from the victims – which then allows operators to decide whether the victim should receive the payload. This ensures that only very specific devices are delivered the malicious payload, researchers said.</p> <p>The C2 then sends a Google FCM message containing the URL for the malware to download the payload. When the malware receives this message, it checks if it contains a key called “link,” and if that exists, it checks if it starts with “https.” It then uses the link to download the payload from a hosting server.</p> <p>Of note, researchers said that the Google FCM communication channel is encrypted and mixed among other communications performed by Android OS using the Google infrastructure, which helps it escape notice.</p> <p>“DoNot team is hiding part of their traffic among legitimate traffic,” said researchers. “Even though the malicious actors still need a [C2] infrastructure, the hardcoded one is only needed at installation time, afterwards it can be discarded and easily replaced by another one. Thus, if their C2 is taken down by law enforcement or deemed malicious, they can still access the victim’s device and instruct it to contact a new C2.”</p> <div id="attachment_160803" style="width: 1034px" class="wp-caption alignnone"><a href=""><img aria-describedby="caption-attachment-160803" loading="lazy" class="size-large wp-image-160803" src="" alt="firestarter " width="1024" height="544"></a><p id="caption-attachment-160803" class="wp-caption-text">DoNot’s Firestarter malware attack vector. Credit: Cisco Talos</p></div> <p><strong> </strong>The final payload, meanwhile, is not embedded in the Android application, making it impossible for analysts to dissect it.</p> <p>“This approach also makes detection more difficult,” they said. “The application is a loader with a fake user interface that manipulates the target after installing it.”</p> <p><strong>Hackers Put Bullseye on Healthcare: <a href=";utm_medium=ART&amp;utm_campaign=Nov_webinar" target="_blank" rel="noopener noreferrer">On Nov. 18 at 2 p.m. EDT</a> find out why hospitals are getting hammered by ransomware attacks in 2020. <a href=";utm_medium=ART&amp;utm_campaign=Nov_webinar" target="_blank" rel="noopener noreferrer">Save your spot for this FREE webinar</a>on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this <a href=";utm_medium=ART&amp;utm_campaign=Nov_webinar" target="_blank" rel="noopener noreferrer">LIVE</a>, limited-engagement webinar.</strong></p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> </div> </footer> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="Firestarter Android Malware Abuses Google Firebase Cloud Messaging" data-url="" data-counters="yes" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="">Cloud Security</a></li> <li><a class="c-label c-label--secondary-transparent" href="">Vulnerabilities</a></li> <li><a class="c-label c-label--secondary-transparent" href="">Web Security</a></li> </ul> </div> </div> </footer> </div>