Rogue Cellphone towers used to spread the Android Swearing Trojan

Chinese scammers are deploying rogue cellphone towers to spread the Android Swearing Trojan via malicious URL in SMS messages.

Chinese scammers are deploying fake mobile base stations to spread the Android Swearing Trojan in text messages.

The attackers have improved the well-known Smishing attack using rogue cell phone towers as the attack vector and distribute the Android banking malware via spoofed SMS messages.

The rogue Cellphone towers send SMS messages include a malicious URL purport to be from China Telecom or China Unicom. According to the experts from Check Point, China’s Tencent has also observed a more conventional malware dropper in infected applications.

With this technique, the scammers avoid being caught by the control implemented by carriers.

The Swearing Trojan is quite similar to other banking trojan, it is able to steal user data and it can bypass 2-factory authentication (2FA) security.

It is able to intercept the one-time code sent to the user via SMS during the authentication phase. By replacing the original Android SMS app with an altered version of its own, Swearing Trojan can intercept incoming SMS messages, rendering two-factor authentication useless.

“By replacing the original Android SMS app with an altered version of its own, Swearing Trojan can intercept incoming SMS messages, rendering two-factor authentication useless.” reads the analysis published by CheckPoint

Since Google Play Store is blocked in China, it is easy for scammers trick users into installing the APK from an untrusted source just by sending an SMS.

“Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware,” continues CheckPoint Security.

There are more phishing scams Swearing Trojan uses to spread:

Work related documents: A fake SMS message coming from a manager asks the user to download and open an important document right away, and to reply to comments inside.
Photos or videos: A fake SMS message claims to include a picture of a memorable event, or to be of a cheating spouse.
Trending events: A recent example posed as a MMS message including a video of a cheating celebrity wife caught in action.
App update notifications: An SMS message claims to be from a bank or telecom provider, and asks the user to install critical updates.

This version of the Swearing Trojan doesn’t use command and control servers, the malicious code sends information back to the crooks via SMS or email.

Tencent reported the arrest of the cyber criminal gang associated with the Swearing Trojan, the new wave of attacks leveraging on the malware demonstrates that another gang is using the code.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Swearing Trojan, Rogue Cellphone Towers)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.