The FireScam Android malware, identified as an infostealer and spyware, is distributed through a phishing website disguised as the "Telegram Premium" app. Once installed on Android devices running version 8 or newer, FireScam requests extensive permissions to monitor and collect sensitive information, including credentials, financial data, and device activity. The malware utilizes Firebase Cloud Messaging to receive commands from its command-and-control server, making it capable of silently exfiltrating data such as app notifications, USSD responses, clipboard content, and messages. The data is sent to a Firebase Realtime Database, and the malware can potentially download additional malicious payloads. FireScam uses advanced evasion techniques to maintain persistence on infected devices.

‍