In late 2025, a highly sophisticated Android banking trojan dubbed FireScam Android malware disguised as Telegram app steals sensitive data emerged as one of the most dangerous threats targeting Telegram users worldwide. Disguised as a legitimate “Telegram Plus” or “Telegram Pro” premium version, FireScam has already infected hundreds of thousands of devices across Europe, Asia, the Middle East, and Latin America. What makes this campaign particularly insidious is its near-perfect impersonation of the real Telegram app — complete with identical icons, login screens, and even fake update notifications — tricking even tech-savvy users into installing it.
Security researchers from Kaspersky, ESET, and ThreatFabric independently confirmed that FireScam Android malware disguised as Telegram app steals sensitive data through a combination of overlay attacks, Accessibility Service abuse, keylogging, SMS interception, and remote control capabilities. Once installed, the malware quietly harvests banking credentials, cryptocurrency wallets, two-factor authentication codes, contacts, messages, and even photos — all while the victim continues to believe they are using a harmless enhanced version of Telegram.
How the Infection Begins
Table of Contents
ToggleThe distribution chain of FireScam Android malware disguised as Telegram app steals sensitive data follows a well-oiled social-engineering playbook:
- Fake Websites & Phishing Links Victims receive WhatsApp, SMS, or Telegram messages claiming that their account will be limited unless they install the “new official Telegram update” or “Telegram Plus with secret chats and no ads.” The links lead to lookalike domains such as telegram-plus[.]org, telegrampro[.]co, or teIegram[.]org (using Unicode homoglyphs).
- Third-Party App Stores & Telegram Channels Hundreds of rogue Telegram channels with names like “Telegram Premium APK,” “Telegram X Official,” and “Telegram Mods 2025” distribute the infected APK directly. Many of these channels have over 100,000 subscribers and use bots to auto-delete negative comments.
- YouTube & TikTok Tutorials Dozens of videos titled “How to Get Telegram Premium Free 2025” or “New Telegram Update Unlocks Hidden Features” contain download links in the description. Some videos have millions of views.
- Malicious Ads Google Ads and Facebook Ads impersonating official Telegram promotions have also been spotted, redirecting users to the malicious APK.
The APK file is usually named something convincing like Telegram_v10.5.0_plus.apk or Telegram_Pro_2025.apk and is signed with a fake certificate that mimics Telegram FZ-LLC.
Technical Deep Dive: What FireScam Actually Does
Once the user grants the requested permissions (especially Accessibility Services — presented as “improved voice message playback”), FireScam Android malware disguised as Telegram app steals sensitive data through multiple attack vectors:
1. Real-Time Overlay Attacks
When the victim opens any banking, crypto, or payment app (over 450 targeted apps including Binance, Coinbase, PayPal, Revolut, and local banks), FireScam instantly displays a perfectly crafted fake login screen on top of the real one. The victim types their real credentials into the fake overlay, which are immediately sent to the attacker’s server.
2. SMS & 2FA Interception
The malware registers a hidden BroadcastReceiver for SMS and call events. Every incoming 2FA code is forwarded to the attacker in real time, allowing them to bypass even the strongest two-factor authentication.
3. Full Device Takeover via Accessibility Abuse
Using Accessibility Services, FireScam can:
- Automatically click buttons
- Fill forms
- Install additional APK files
- Disable Google Play Protect
- Remove competing antivirus apps
- Turn off battery optimization so it never sleeps
4. Keylogging & Screen Recording
A background keylogger records everything typed across the entire device, while selective screen recording activates when banking apps are detected.
5. Cryptocurrency Clipboard Hijacking
When the user copies a legitimate crypto wallet address, FireScam silently replaces it with the attacker’s address. The victim pastes and sends funds directly to the criminal.
6. Stealth & Persistence Mechanisms
- Icon disappears from home screen after first launch (victim thinks installation failed)
- Runs under random package names like com.system.update.service
- Uses Firebase Cloud Messaging for C2 communication
- Implements anti-analysis techniques: detects emulators, rooted devices, and debuggers
- Survives factory reset by hiding in system partitions on some devices
Who Is Behind FireScam?
Cybersecurity firms attribute FireScam Android malware disguised as Telegram app steals sensitive data to a professional cybercrime group operating out of Southeast Asia, possibly linked to earlier trojans such as Anatsa (Nexus) and Octo. The infrastructure uses bulletproof hosting in Vietnam and Laos, with payment mules spread across Africa and Eastern Europe. The malware is sold as Malware-as-a-Service on Russian-language underground forums for $2,000–$8,000 per month depending on features.
Real-World Damage
By December 2025, confirmed losses exceed $27 million, with the largest single theft being €1.4 million from a German cryptocurrency trader. In India alone, over 120,000 installations were recorded in the first six weeks. Victims range from ordinary users to high-net-worth individuals who believed they were installing a “safer” version of Telegram.
How to Protect Yourself
- Never sideload Telegram — the real app is only distributed via Google Play and the official website telegram.org
- Enable Google Play Protect and keep it active
- Never grant Accessibility Services to any Telegram version
- Use app-specific passwords and hardware security keys instead of SMS 2FA
- Verify the developer name: the legitimate Telegram app is signed by “Telegram FZ-LLC”
- Install a reputable mobile antivirus (Kaspersky, ESET, Bitdefender, or Malwarebytes)
- Check battery usage — FireScam often appears as a top consumer under random names
- If infected, immediately factory reset after freezing bank accounts
Why Telegram Is the Perfect Bait
Telegram’s reputation for privacy, combined with its massive popularity in regions with strict internet censorship (Iran, Russia, India, Pakistan, Brazil), makes it the ideal lure. Users in these countries are already accustomed to sideloading APKs due to government blocking or desire for modified versions — a habit that FireScam ruthlessly exploits.
The Future of This Threat
Researchers warn that FireScam is evolving weekly. New variants detected in December 2025 can now:
- Steal biometric data (face/fingerprint templates on some devices)
- Abuse Android 14+ Restricted Settings to block uninstallation
- Use AI-generated phishing pages that adapt to the victim’s language and bank
- Spread via fake “Telegram Web” QR codes in public places
Final Warning
The success of FireScam Android malware disguised as Telegram app steals sensitive data proves that in 2025, the most dangerous malware no longer needs zero-day exploits — it only needs your trust. One click on a fake “premium” Telegram update can empty your bank account in minutes.
If you have ever installed Telegram from anywhere except the official Google Play Store or telegram.org in the past six months, assume you may be compromised and take immediate action.
FAQ: FireScam Android Malware
Q: Is the official Telegram app safe? A: Yes. The real Telegram from Google Play or telegram.org is completely safe. Only fake versions contain FireScam.
Q: I installed “Telegram Plus” from a random site — am I infected? A: Almost certainly. Immediately factory reset your phone after contacting your bank.
Q: Can antivirus detect FireScam? A: Yes — Kaspersky, ESET, Bitdefender, and Malwarebytes detect it as Trojan-Banker.AndroidOS.FireScam or similar.
Q: Why does the fake app look identical to the real one? A: Criminals steal the original Telegram source code (which is open-source) and inject malware into it.
Q: Can FireScam infect iPhones? A: No known iOS version exists as of December 2025, but fake Telegram websites try to steal credentials via phishing.
Q: My bank says the money was sent by me — will I get it back? A: Many banks reimburse if you prove malware infection with a forensics report, but success varies by country.
Q: How do I know if FireScam is still on my phone after factory reset? A: It cannot survive a proper factory reset unless the device was rooted with system-level persistence (rare).
Q: Are there any safe Telegram mods? A: No. All third-party Telegram clients violate Telegram’s terms and are potential malware vectors.
Q: Why doesn’t Google block these fake sites faster? A: Attackers register new domains daily and use domain fronting. Google removes them, but the cat-and-mouse game continues.
Q: Will this ever stop? A: As long as people sideload apps chasing “free premium” features, campaigns like FireScam will continue to evolve.
