According to a research note from Check Point, the android scumware doing the rounds is not new to China, but the fake base station is a new angle in the situation. The profanities in the code comments of the scumware have earned it the name of “The Swearing Trojan”, the authors of which are already under arrest.
|(pc- Google Images)|
The basic mode of infection is simple. The SMS sent from the base stations appear to be from China Telecom or China Unicom, offering a malicious URL endorsed by a customer’s operator. In another comment, Check Point said that a more conventional malware dropper was also seen in the infected applications of China’s Tencent.
The Trojan pushes phishing texts around carriers’ controls and succeeds in extracting private information from the victim.
Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
The process is straightforward. The SMS application of the android is replaced by the Trojan, enabling it to steal message-based 2FA, for example bank tokens. The Trojan then spreads from the infected user to the victim’s contacts by sending phishing messages.
According to Check Point, the most common messages used by the Swearing Trojan include messages about work documents, photos/videos, app update notifications, and the never ending “nude celebrity” message.
The malware uses SMS to send information back to its generators rather than using the command and control servers. Although Tencent had reported arrests of people associated with the Trojan, there seem to be others associated with the campaign.