Firestarter Malware Abuses Google Firebase Cloud Messaging Platform

The Firestarter malware is used by the APT threat group DoNot. DoNot uses Firebase Cloud Messaging (FCM), a cross-platform, cloud-based messaging and notification solution for Android, iOS and web applications, which is currently available free of charge.

This service is provided by Firebase, a subsidiary of Google, and was previously used by cyber criminals.

The DoNot APT group is doing its best to experiment with new payload delivery methods.

You are using a legitimate service within Google’s infrastructure, which makes it difficult to detect in users’ networks.


According to the researchers, users tend to install a malicious application on their mobile device, probably with direct messages via social engineering. The filename of these applications for Android (kashmir_sample.apk or Kashmir_Voice_v4.8.apk) indicates that there is still interest in India, Pakistan and the Kashmir crisis.

After downloading and opening an application that claims to be a chat platform, users will receive a message that the chat is continuously being downloaded, that the application is not supported, and that uninstallation will continue (as shown in the order below).

Often it is a distraction to make the victim believe there was no malicious installation, the investigators say. When a deletion message appears, the icon is deleted from the user interface.

In the background, however, a malicious application tries to load a load using FCM. This malicious application now contains additional malicious code which attempts to download the load based on information obtained from the compromised device.

The figure above shows that a malicious application tends to delete after downloading. When a deletion message appears, the icon is deleted from the user interface. The only way to identify a request is to check the list of requests.

Since the user receives messages about incompatibilities, the malware makes the first contact with the command and control servers (C2).

It will provide information on the identity and geolocation of the victim, which is very important for monitoring operators. The entire thread consists of six steps before the malware starts receiving commands from C2, as shown below.

After receiving the Google FMC token (step 1), operators have everything they need to send the Google FMC message with the malware download URL, geographic location, IP address, IMEI and email address of the victim, so they can decide which victims they want to give the payload to.

Need for a new charger

Better control over compromised devices, even if C2 does not work This new charger has two important functions for intruders.

They can first decide who will receive the shipment, with the possibility to check the victim before sending it.

This prevents the cargo from falling into the hands of investigators or law enforcers. Secondly, it offers them a strong out-of-band durability mechanism.

If the C2 server is disabled, the DoNot command can still redirect the malware to another new C2 server or to hosting via Google’s infrastructure.


Since the final payload is not integrated in the Android application, analysts cannot analyze it. This approach also makes detection more difficult. The following code fragment is responsible for loading the load.

In summary, the DoNot command used various configuration options to enable features specific to your web server infrastructure while maintaining compatibility with previous versions of the malware.

The DoNot team continues to focus on India and Pakistan, and this malware program further reinforces this trend.

You can follow us on Linkedin, Twitter, Facebook to get daily news about cyber security and hackers.

Also read

Firebase vulnerabilities in 100 million sensitive records – 2,300 Firebase databases and 3,000 affected iOS and Android applications

Nearly 2 million Android users attacked by FalseGuide malware in the Google Play shop – watch out!

Related Tags: