DoNot Firestarter is a newly detected malware on Android that is reportedly using Google’s own infrastructure to deliver malware. According to Cisco’s Talos cybersecurity researchers, Firestarter uses Google’s Firebase Cloud Messaging infrastructure to control the malware. Using Google’s infrastructure allows the malware to hide amidst legitimate Internet traffic, and also allows the malware to be targeted in a personalised manner, making it even harder for security researchers to detect.
Analysis of DoNot’s activities by cyber threat researchers at Cisco Talos says that the group tries to specifically target government officials in Pakistan, and NGOs working in Kashmir.
The loader is usually disguised as an application that a user is lured into installing. The app then contains additional code that is used to download the payload, based on the information gained from the device. This could be used — for example — to create an app that is innocuous in the rest of the world but acts as malware in a specific geography.
The malware then transmits personal and geographical information about the device to DoNot’s C2, or its command centre, which helps the group identify the user and decide whether or not to infect the device. The researchers said that by using Google FCM, the malware can receive a malicious package from the DoNot C2 in the form of a link, which would give the group access to the device. And even if a particular C2 was to be taken down, access through the Google FCM would allow the group to infect the device using a different C2, making this loader particularly dangerous and difficult to weed out.
The only way to neutralise the threat, researchers say, would be for Google to take down the infected FCM account, along with the C2. The analysis also says that being specific in targeting users, the DoNot Firestarter malware is hard to be detected and categorised by security researchers.