A foul-mouthed Android banking trojan that once appeared neutralized after its distributors were rounded up in a police raid has shown new signs of life, suggesting the operation was larger than originally thought, researchers at Check Point Software Technologies reported on Tuesday.
The malware, dubbed Swearing Trojan because its code contains Chinese curse words, is capable of stealing personal data and banking credentials, and can bypass two-factor authentication by replacing a user's legit Android SMS app with a malicious version that intercepts incoming SMS messages. While this malware campaign has historically targeted Chinese users, Check Point warned in a blog post that the scheme could easily spread globally.
Check Point's blog post specifically cites a June 2016 report, written in Chinese, from Shenzhen China-based Tencent, which detailed the original Swearing Trojan campaign and the subsequent police action. While a number of attackers were taken into custody before that report was published, Check Point has continued to spot versions of Swearing Trojan active in the wild as recently as March 2017. (The blog post lists 51 notable variants.)
Swearing Trojan will sometimes spread conventionally via malicious apps that contain droppers, but it also has more sophisticated, insidious method of distribution: it uses fake base transceiver stations to send smishing messages that appear to come from trusted sources, such as Chinese telecom services providers China Mobile and China Unicom. Some of these fake messages, which trick recipients into clicking on booby-trapped URLs that install the malware, are even designed to look like they came from people with whom the victims are romantically entangled, Check Point warned.
Base transceiver stations (BTSs) are essentially equipment that enables wireless communication between a user device and a network. "The attacker first sets up a fake BTS, to which users accidentally connect. Once they are connected, the attacker controls the victim's network connection," said Daniel Padon, Check Point mobile threat researcher, in an email interview with SC Media. "By leveraging this control, the attacker spoofs a fake message allegedly from the network provider containing the phishing message."
Once the malware is installed, it further attempts to spread itself by sending automated smishing messages to victims' contacts.
Other examples of Swearing Trojan smishing attempts that have been observed in the wild include fake SMS messages that appear to contain work-related documents, alluring or scandalous photos and videos, and app update notifications from banks and telecom providers.
Swearing Trojan also employs a couple of techniques to attract minimal suspicion. For instance, rather than communicating with remote command-and-control servers, it instead uses SMS or email to send data back to the attackers. "This provides the malware with good cover for its communications and hinders attempts to trace any malicious activity," the blog post states.
Check Point also noted that while Swearing Trojan attackers originally used email addresses specifically from 21cn.com to supporting their phishing campaign, they have now branched out to make use of 163.com, sina.cn and qq.com, as well as Alibaba Cloud and other cloud service-hosted email accounts. Some of these email addresses use mobile numbers as their user names; however these numbers do no match the actual mobile numbers seen in the SMS messages, which suggests the variants are repackaged "at least twice," the blog post explains.