Keypoints
- Malware impersonates the Instander Instagram mod app to trick users into entering credentials.
- App requests username/email and password, then always displays an error regardless of correctness.
- Credential exfiltration leverages Firebase Authentication API createUserWithEmailAndPassword by combining user input with a fixed email pattern.
- The malware uses a static password value (kamalw20051) and submits the credential inputs twice to the Firebase project.
- Network traffic to Google’s www.googleapis.com is sent in Protobuf format (instead of default JSON), likely to reduce detection.
- Credentials appear in plaintext on the Firebase dashboard because they are stored as Firebase account names without hashing.
- McAfee detects this threat as Android/InstaStealer and published the IOA/IOC details including a SHA256 sample.
MITRE Techniques
- [T0000] Not specified – The article does not cite any explicit MITRE ATT&CK technique IDs; it describes credential harvesting via a malicious mobile app and abuse of cloud authentication APIs (“createUserWithEmailAndPassword”) but gives no ATT&CK references.
Indicators of Compromise
- [File hash] Malware sample SHA256 – 238a040fc53ba1f27c77943be88167d23ed502495fd83f501004356efdc22a39
- [Domain/API endpoint] Data exfiltration target – www.googleapis.com (Firebase API endpoints used to submit credential data in Protobuf format)
The malware is distributed as a trojanized Instagram mod app that mimics Instander UI and prompts the user for their Instagram account (username or email) and password, but always returns an error message. To capture credentials the app takes the supplied account identifier, appends a fixed domain segment to form an email-like string, pairs that as the email parameter with a static password value (“kamalw20051”), and calls Firebase Authentication’s createUserWithEmailAndPassword API—this submission is performed twice for the input fields. Because createUserWithEmailAndPassword creates accounts visible in the Firebase console, the attacker can view the submitted account names and passwords in plaintext on the Firebase dashboard.
On the network side, the app communicates with Google’s Firebase services (www.googleapis.com) and sends the authentication requests in Protocol Buffers (Protobuf) format instead of the usual JSON configuration. Using Protobuf plus Google-owned domains likely reduces scrutiny by network filters and makes the traffic appear legitimate, enabling stealthy exfiltration of harvested credentials. McAfee’s analysis notes detection as Android/InstaStealer and provides a SHA256 sample for reference.