Firestarter Android Malware Abuses Google Firebase Cloud Messaging

Two-Thirds of Financial Services Firms Suffered Cyber-Attack in the Past Year

November 9, 2020

TomCat Orange to Exhibit at Business Revival 2023

January 26, 2023

Published by Thomas at November 9, 2020

Firestarter Android Malware Abuses Google Firebase Cloud Messaging

The DoNot APT threat group is leveraging the legitimate Google Firebase Cloud Messaging server as a command-and-control (C2) communication mechanism.

An APT group is starting fires with a new Android malware loader, which uses a legitimate Google messaging service to bypass detection.

The malware, dubbed “Firestarter,” is used by an APT threat group called “DoNot.” DoNot uses Firebase Cloud Messaging (FCM), which is a cross-platform cloud solution for messages and notifications for Android, iOS and web applications. The service is provided by Firebase, a subsidiary of Google, and has been previously leveraged by cybercriminals.

In this case, the loader uses it as a communication mechanism to connect with DoNot’s command-and-control (C2) servers, helping the group’s activities avoid detection.

“Our research revealed that DoNot has been experimenting with new techniques to keep a foothold on their victim machines,” according to researchers with Cisco Talos in a Thursday analysis. “These experiments, substantiated in the Firestarter loader, are a sign of how determined they are to keep their operations despite being exposed, which makes them a particularly dangerous actor operating in the espionage area.”

The DoNot team continues to focus on India and Pakistan, and is known for targeting Pakistani government officials and Kashmiri non-profit organizations (Kashmiris are a Dardic ethnic group native to the disputed Kashmir Valley).Article’s intro is courtesy of Threatpost