Satisnet Ltd, Basepoint Innovation Centre, 110 Butterfield Great Marlings, Luton, Bedfordshire, LU2 8DL
+44 (0) 1582 434320

"Swearing" Trojan Spreading Malware VIA Fake Base Stations

"Swearing" Trojan Spreading Malware VIA Fake Base Stations

"Swearing" Trojan Spreading Malware VIA Fake Base Stations

Security researchers have discovered a sophisticated cyber-attack in China. Where Chinese phishing agents are deploying fake base stations to spread malware in text messages that would otherwise be caught by the carriers.

This malware is designed to steal personal info and even bypass banks’ two factor authentication systems by intercepting incoming SMS codes for account log-ins.

Banking apps use two-factor authentication as a method to secure access by sending a one-time code to the user via SMS. Further, having users to enter their password. The Trojan replaces the Android SMS application with its own, allowing it to steal message-based two factor authentication such as bank tokens; and intercept incoming SMS messages, rendering two-factor authentication useless.

It also spreads from the infected user by sending phishing messages to victims’ contacts.

There are two methods Swearing Trojan uses to spread:

  • Droppers download malicious payloads once a user installs an infected app on a device
  • Attackers control fake base transceiver stations (BTSs) that send phishing SMS messages masked as coming from Chinese telecom services providers China Mobile and China Unicom

Fake Cellphone Message

Figure 1 Hackers using fake cellphone tower to spread malware

“Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware. Fake messages from people victims may be romantically involved with have also been seen in these attacks,” explained Check Point mobile security researcher, Feixiang He.

Once the infected app has been installed, it asks mobile user for only screen lock-related permissions to avoid suspicion. Later, the malware spreads by sending automated phishing SMSs to victim’s contacts.

The Trojan doesn’t communicate with remote C&C servers. However, sends data back to an attacker using SMS or email. This provides the malware stay undercover for its communications and obstructs efforts to trace any malicious activity.

There are more ways Swearing Trojan looks to spread. For instance- through work related documents- where a fake SMS message coming from the manager asks the user to download and open an important document immediately; fake update notifications and malicious MMS messages.

The widespread of the Swearing Trojan was accomplished by using fake BTSs and automated phishing SMSs. Feixiang He, alerts that such tactics could be used outside China if cyber-criminals see them performing well and advises organisations to protect against these tactics and many others, they should implement advanced solutions, such as the Check Point Mobile Threat Prevention.