A new malware named DoNot Firestarter has been detected on Android by cyber threat researchers at Cisco Talos. The hackers are using Google’s own Firebase Cloud Messaging infrastructure to control and deliver malware to unsuspecting users.
According to the researchers, Google’s infrastructure allows hackers to hide their malware with real internet traffic and being targeted in a personalised manner. Due to this, detecting the malware was hard to detect. They add that the DoNot Firestarter is specifically being targeted towards government officials in Pakistan and NGOs working in Kashmir.
DoNot Firestarter’s loader is hidden inside of an app that once a user installs, infect the user’s phone with the malware. After the app is run, the loader will then run the additional code that downloads the payload, based on the information of the device.
The app transmits the device’s data including personal and geographical information to DoNot’s command centre. This data then helps the hackers identify the user and decide whether or not to infect the device with the payload. Cisco Talos researchers state that with the help of using Google FCM the loader app can receive the malicious package sent by the DoNot command centre in the form of a link, that the infected app can then run to give the hacker access to the device.
They state that even if the command centre was to be taken down, Google FCM access will allow the group to infect devices using a different command centre. Due to this, it is very difficult to get the loader out.
Researchers state that the only way to neutralise the malware is for Google to step in and take down the infected FCM account along with the command centre. The initial infected apps list has not been released by the researchers.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines