Check Point security researchers have warned that tactics employed by a mobile Trojan targeting users in China might become a worldwide threat when adopted by Western malware.
Called the “Swearing Trojan”, the threat was discovered not long ago by Tencent Security researchers, who revealed that the threat can steal bank credentials and other sensitive personal information from Android devices. The malware’s name comes from Chinese swear words that were found inside the malware’s code.
The Swearing Trojan can also bypass 2-factory authentication (2FA) security by replacing the original SMS app on the infected devices with an altered version, which allows it to intercept the one-time codes banks send to their users.
The malware was observed spreading through droppers that download malicious payloads on compromised devices, and via fake base transceiver stations (BTSs) that send phishing SMS messages purportedly coming from China Mobile and China Unicom, two of the largest Chinese telecom service providers. Similar tactics could be adopted by Western malware too, researchers say.
“Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware. Fake messages from people victims may be romantically involved with have also been seen in these attacks,” Check Point reveals.
Once the malware has infected a device, it starts sending automated phishing SMSs to the victims’ contacts. SMS messages spreading Swearing Trojan might also attempt to trick the victim into downloading a work related document, a picture of a memorable event or that of a cheating spouse, a video of a trending event, or even critical updates. The malware itself uses SMS or email to communicate with the command and control server.
As it turns out, the actors using this Trojan have been already arrested, but Check Point says the malware still remained active, likely because the attackers were part of a larger operation. What’s more, the researchers say that only 21cn.com email addresses were used in the initial campaign, but new attacks used other popular Chinese email service providers as well, including 163.com, sina.cn and qq.com.
Furthermore, new variants of the Swearing Trojan were observed in the wild recently, along with a trend to use Aliyun and other cloud service hosted email accounts. Some of these email addresses are using a mobile number as their user name, and inconsistencies between these numbers and the actual mobile number used in SMS suggest that the Trojan variants are repackaged at least twice.
“Many mobile malware discovered in the Chinese market in the past, such as HummingBad, turned out to be early birds which continued to spread worldwide. The widespread of the Swearing Trojan was achieved by using fake BTSs and automated phishing SMSs. Both of these threats can be adopted by western malware as well,” the researchers conclude.