Firestarter Trojan
The Firestarter Trojan is a threatening Android application that appears to be the product of an Advanced Persistent Threat (APT) group tracked under the alias DoNot. The hackers' latest campaign is focused on India, Pakistan, and countries involved in the 2020 Kashmir conflict. The payload in question is a basic Trojan loader that uses a legitimate cloud communication platform to establish a connection with the control server, exfiltrate data and retrieve payloads. The Firestarter Trojan makes use of the Firebase Cloud Messaging (FCM) platform, which is a part of Google officially. This is not a new case in which this particular service has been abused by cybercriminals, and, unfortunately, it is likely that more and more mobile malware developers will start leveraging it in their campaigns.
The Firestarter Trojan is usually delivered via a fake APK installer, which poses as a Kashmir-related application – such as a chat service. While the exact delivery mechanism is not yet clear, it is likely that the DoNot APT hackers are relying on social engineering and phishing emails to deliver the corrupted files.
When a victim tries to initiate the corrupted APK file, they may see a prompt telling them that initialization was not successful and that the program will now be uninstalled automatically. This simple strategy may trick many victims of the Firestarter Trojan into thinking that the application was removed from their device when, in reality, the threatening implant just hid its icon from all menus. The Trojan will continue to work in the background and start to gather information such as the IMEI, IP address, geographical location and phone hardware data. All collected information is transmitted to the remote control server through an FCM token. It would appear that the data is then checked manually to determine whether the hackers are interested in the target or not – if they are, then they would proceed to deploy a secondary payload through the Firestarter Trojan.
It is still unknown what the final payload involved in the Firestarter Trojan is, but there is a possibility that the criminals are planning to use a Remote Access Trojan (RAT) or a fully-fledged spyware kit. Android users are advised to stay protected from mobile malware families like the Firestarter Trojan by investing in a reputable mobile anti-virus application.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.