An Android banking trojan, dubbed Swearing Trojan due to the vast amount of Chinese swear words included in the source code, was first discovered in 2016 by Tencent Security. It can collect personal user data, display phishing messages to collect login credentials, and intercept SMS messages to bypass two-factor authentication (2FA) or one-time codes used by banks. The perpetrators send SMS messages to potential victims, enticing them to click links in the SMS using social engineering tactics. In March 2017, it was reported that Chinese malware authors used base transceiver stations (BTSs) — equipment typically installed on cell phone towers — to send spoofed SMS messages that contain links to the Swearing Trojan. The malicious actors use the rogue BTS equipment to trick nearby mobile devices into connecting to a separate mobile network. They then send a SMS message to the users containing a link to a malicious APK, made to look as though the link from their mobile provider or bank to update their mobile app. If the user installs the APK file, the trojan is downloaded. As of March 2017, this malware distribution campaign is only active in China; however, researchers expect that the tactics used to spread this malware will be adopted worldwide.
- March 2017: Chinese cybercriminals are using cell phone towers to spread the Swearing Trojan. (BleepingComputer)
- March 2017: Observed new attacks using slightly modified versions of the Swearing Trojan. (Check Point)
- Check Point researchers provide technical details on the Swearing Trojan, available here.