Firestarter Android Malware Abuses Google Firebase Cloud Messaging

firestarter malware

The DoNot APT threat group is leveraging the legitimate Google Firebase Cloud Messaging server as a command-and-control (C2) communication mechanism.

An APT group is starting fires with a new Android malware loader, which uses a legitimate Google messaging service to bypass detection.

The malware, dubbed “Firestarter,” is used by an APT threat group called “DoNot.” DoNot uses Firebase Cloud Messaging (FCM), which is a cross-platform cloud solution for messages and notifications for Android, iOS and web applications. The service is provided by Firebase, a subsidiary of Google, and has been previously leveraged by cybercriminals.

In this case, the loader uses it as a communication mechanism to connect with DoNot’s command-and-control (C2) servers, helping the group’s activities avoid detection.

“Our research revealed that DoNot has been experimenting with new techniques to keep a foothold on their victim machines,” according to researchers with Cisco Talos in a Thursday analysis. “These experiments, substantiated in the Firestarter loader, are a sign of how determined they are to keep their operations despite being exposed, which makes them a particularly dangerous actor operating in the espionage area.”


The DoNot team continues to focus on India and Pakistan, and is known for targeting Pakistani government officials and Kashmiri non-profit organizations (Kashmiris are a Dardic ethnic group native to the disputed Kashmir Valley).


Users are lured to install a malicious app on their mobile device, likely done via direct messages that utilize social engineering, researchers said. The filename of these Android applications (kashmir_sample.apk or Kashmir_Voice_v4.8.apk) show continued interest in India, Pakistan and the Kashmir crisis.

Once the app — which purports to be a chat platform — is downloaded and opened, users receive a message that chats are continually loading, and that the application is not supported, and that uninstallation is in progress. This is a lure to make the victim believe that there was no malicious install, researchers said. Once the message of uninstallation is shown, the icon is removed from the user interface (though it still shows in the application list in the phone’s settings).


The malicious app purports to uninstall after download. Credit: Cisco Talos

In the background, however, the malicious app is attempting to download a payload using FCM.

According to Firebase, an FCM implementation includes two main components for sending and receiving messages. These include an app server on which to build, target and send messages; and an iOS, Android, or web (JavaScript) client app that receives messages via the corresponding platform-specific transport service.

In this case, the app sends the C2 server a Google FCM token with various device info – including the geographic location, IP address, IMEI and email address from the victims – which then allows operators to decide whether the victim should receive the payload. This ensures that only very specific devices are delivered the malicious payload, researchers said.

The C2 then sends a Google FCM message containing the URL for the malware to download the payload. When the malware receives this message, it checks if it contains a key called “link,” and if that exists, it checks if it starts with “https.” It then uses the link to download the payload from a hosting server.

Of note, researchers said that the Google FCM communication channel is encrypted and mixed among other communications performed by Android OS using the Google infrastructure, which helps it escape notice.

“DoNot team is hiding part of their traffic among legitimate traffic,” said researchers. “Even though the malicious actors still need a [C2] infrastructure, the hardcoded one is only needed at installation time, afterwards it can be discarded and easily replaced by another one. Thus, if their C2 is taken down by law enforcement or deemed malicious, they can still access the victim’s device and instruct it to contact a new C2.”


DoNot’s Firestarter malware attack vector. Credit: Cisco Talos

 The final payload, meanwhile, is not embedded in the Android application, making it impossible for analysts to dissect it.

“This approach also makes detection more difficult,” they said. “The application is a loader with a fake user interface that manipulates the target after installing it.”

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinaron healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles