No Firestarter Malware with Google Firebase Cloud Messaging: Report
DoNot Firestarter is a recently detected malware on Android that is reportedly using Google’s own infrastructure to deliver malware. According to Cisco’s Talos cybersecurity researchers, Firestarter uses Google’s Firebase cloud messaging infrastructure to control malware. Using Google’s infrastructure allows malware to hide amid legitimate Internet traffic and also allows malware to be targeted in a personalized way, making it even more difficult for security researchers to detect.
Analysis of DoNot’s activities by cyber threat researchers at Cisco Talos says the group attempts to specifically target government officials in Pakistan and NGOs working in Kashmir.
The loader is generally disguised as an application that the user is drawn to install. The application then contains additional code that is used to download the payload, based on information obtained from the device. This could be used, for example, to create an application that is harmless in the rest of the world but acts like malware in a specific geography.
The malware then transmits personal and geographic information about the device to DoNot’s C2, or its command center, helping the group identify the user and decide whether or not to infect the device. The researchers said that by using Google FCM, the malware can receive a malicious packet from the DoNot C2 in the form of a link, giving the group access to the device. And even if a particular C2 were removed, access through Google FCM would allow the group to infect the device using a different C2, making this charger particularly dangerous and difficult to remove.
The only way to neutralize the threat, the researchers say, would be for Google to delete the infected FCM account, along with the C2. The analysis also says that by being specific when targeting users, DoNot Firestarter malware is difficult for security researchers to detect and categorize.