Researchers with Tencent Security recently disclosed details about Swearing Trojan, a mobile banking malware that attacked users in China. Swearing Trojan’s name comes from Chinese swear words found inside the malware’s code. The malware infected a wide spread of Android users in China, stealing their bank credentials and other sensitive personal information.

Similar to mobile banking Trojans discovered previously, Swearing Trojan can steal personal data and it can bypass 2-factory authentication (2FA) security. Banking apps use two-factor authentication as a way to secure access by sending a one-time code to the user via SMS in addition to having a user enter his or her password. By replacing the original Android SMS app with an altered version of its own, Swearing Trojan can intercept incoming SMS messages, rendering two-factor authentication useless.

Swearing Trojan spreads using two primary infection methods:

  • Droppers download malicious payloads once a user installs an infected app on a device.
  • Attackers operate fake base transceiver stations (BTSs) that send phishing SMS messages masquerading as ones coming from Chinese telecom service providers China Mobile and China Unicom.

Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware. Fake messages from people victims may be romantically involved with have also been seen in these attacks.

Once an infected app is installed it asks the user for only screen lock-related permissions to avoid suspicion. After installation, the malware spreads by sending automated phishing SMSs to a victims’ contacts.

There are more phishing scams Swearing Trojan uses to spread:

  • Work related documents: A fake SMS message coming from a manager asks the user to download and open an important document right away, and to reply to comments inside.
  • Photos or videos: A fake SMS message claims to include a picture of a memorable event, or to be of a cheating spouse.
  • Trending events: A recent example posed as a MMS message including a video of a cheating celebrity wife caught in action.
  • App update notifications: An SMS message claims to be from a bank or telecom provider, and asks the user to install critical updates.

The Swearing Trojan doesn’t communicate with remote C&C servers. Instead it sends data back to an attacker using SMS or email. This provides the malware with good cover for its communications and hinders attempts to trace any malicious activity.

Although Tencent reports the attackers are in custody following a police raid, Check Point researchers detected additional activity made by the malware. So it’s possible that the attackers in custody were only part of a larger operation to spread the malware.

Since September 1, 2016, the Chinese government enforced real ID registration for all mobile numbers. If owners fail to submit real ID information to the telecomm service providers before the deadline, the mobile number is terminated. This new regulation should significantly reduce Swearing Trojan’s ability to spread using fake mobile numbers. However, phishing by email will still be an available attack vector for the malware.

In the original Tencent report, only 21cn.com email addresses were used. Check Point researchers have already seen the malware use other popular Chinese email service providers, such as 163.com, sina.cn and qq.com.

By March 2017, we still observe new Swearing Trojan variants in the wild. We also see the trend of making use of Aliyun and other cloud service hosted email accounts (e.g. qwewa.com, Shanghai Meicheng Technology Information Development Co., LTD.)

Some of these email addresses are using a mobile number as their user name. Judging from the inconsistency between the numbers in the email addresses and the actual mobile number used in SMS, we believe Swearing Trojan variants are repackaged at least twice.

Many mobile malware discovered in the Chinese market in the past, such as HummingBad, turned out to be early birds which continued to spread worldwide. The widespread of the Swearing Trojan was achieved by using fake BTSs and automated phishing SMSs. Both of these threats can be adopted by western malware as well. To protect your organization against these tactics, and many others, you should implement advanced solutions, such as the Check Point Mobile Threat Prevention.

 

Appendix 1 – list of SHAs of notable variants

No. SHA Email Mobile City Province
1 3a8de6ad201f258ff3cabae8e82f7772a7ea29cb90bdf19a6f0f6df7e9524d5c Chax********#163.com 181******08 Dongguan Guangdong
2 61d75ea62b13a01374ad7f756d41f7d2989fe1b873cb009feb307347036eda8f aa15********7#21cn.com 131******00 Guangzhou Guangdong
3 35d646807e472c7b9e2d8237e98b6ed1ab5cc4b4e05f87fc100c0890fd212d84 1550*******#sina.cn 135******44 Beijing Beijing
4 5aca849153f56c895130b9119791f8909c9c3ab342f1948448bafe1bcf0122e8 1317*******#sina.cn 155******57 Zhongshan Guangdong
5 38418bc93bbe2afddfd75b8e11e724dcd71cda86bee1bedcfba363943559c1c6 Ccti****#aliyun.com 130******16 Guangzhou Guangdong
6 1ec4232ed1ab16f75e9b883424e5b248b439100d9f0cc25e812b49b609e79254 Laod********1#21cn.com 156******09 Suzhou Guangdong
7 95ae4e91540ee1a8bb5ed52a3e935adc797a283ef94dd8dcb7b9d0f90368d1d2 Laoqi*******68#21cn.com 131******09 Shenzhen Guangdong
8 db57cec5603f9f4c557f1a07fce05904a807de92838bd94eef095bc59547ca29 Fac*****#21cn.com 156******33 Zhongshan Guangdong
9 425f634574cfbe5b361dd9b92913825ff08c05c371638f7401764faac3b297ed a13********#21cn.com 132******64 Suzhou Jiangsu
10 134565cab9a104e1dcd96b299ba43c1b735a96731f1418effb4e1c27f1c2400a a13********#21cn.com 132******64 Suzhou Jiangsu
11 a880b70acbeb8f7b130eb4e4aa8273cfa02d02985cc0a5ec7b96a26bc681aa4e a13********#21cn.com 158******20 Xi’an Shaanxi
12 1b0a139a9af39c54a070d7b867ae497340ddcfc48bdb75901293d7de9ca9b5bf a13********#21cn.com 158******20 Xi’an Shaanxi
13 17da46d70f88d754436ff6b6df0d8a1f618f13bb9b27c70f4e7f6d5bde53932c Lao*******#21cn.com 131******24 Yangzhou Jiangsu
14 1c4422c2c281b51e35ee2b4f14f9d77e6be1fd9155b6b5f8f63a673d435001fa Lao*******125#21cn.com 159******25 Guangzhou Guangdong
15 ad0371ac2e8b33f0b4e0b4b5243171c4c5b7c400cbd2f91cb54f2a632375dd5f a13********3#21cn.com 135******43 Shenzhen Guangdong
16 cba32feded6d8b8f6a9810c5be4eac9067e64617da547c39a5108ec6baea5fda Mk*******#21cn.com 155******47 Taian Shandong
17 65a34d6dcfbf8d6f56e2708ba7c4d717d4dcb6af169bcd24b2e920353aaab74a lao1********25#21cn.com 159******25 Guangzhou Guangdong
18 2dd770959588616bcada53cb07c914545ee9535be1270fa5b9df4e99b735e0a8 Sdf********2#21cn.com 130******30 Guangzhou Guangdong
19 5384843a8855667d813d34d6b025cdc7dce49ed3a6d50292f6dc6bf20e8e0c0e Cao*******#21cn.com 130******59 Shenzhen Guangdong
20 cdff33b5761a5082e5c030af7de7c481a959a9ce50da45ac5720b63e904049d2 Xiaoc**********#21cn.com 156******86 Suzhou Jiangsu
21 3c770ce835311f41af271111197b64be44787e49d883ff838e7393e7fb2e0785 Xiaoc**********#21cn.com 156******86 Suzhou Jiangsu
22 7a1beb660d3550372c109cdb3a4dcdf8ab1a67488f24f9bc7555ffe34f1809f8 Caon*******#21cn.com 130******59 Shenzhen Guangdong
23 5d9cb23cf35e16fd351307af77d69c85c29cebb840ff851a51c2bae36452e9bd Fg*****#21cn.com 132******57 Jiangmen Guangdong
24 59e127e735ee5fa125c6afc0530154a3eb5e717ce2416f357934d0b7ef95091d a15**********#21cn.com 150******28 Shenzhen Guangdong
25 45d8d74bf54f8f8059d46e05b2dc3536c670e18e62f27d6c657e35598e99775f q13********#21cn.com 131******52 Jining Shandong
26 0b2a5a91e659f672fa13059d3b8c15c28ae77a37a2938a66a9d06f5910194ead Lao***********#21cn.com 131******09 Shenzhen Guangdong
27 23ad457567b619a0cdb6858ffc7b47b400a02d9dd3a632d06337279a508b7b7a kim5*******#21cn.com 155******97 Guangzhou Guangdong
28 6435133f38cfa7b05f9897a16cee451d20665d377d4eae7e5bd2100a5d2b15f1 shun1*********4#21cn.com 137******24 Shenzhen Guangdong
29 509b471f8993ed60dd34b0c312572ee16e292d235d228d28de8cb75522e9e4b3 a130********#21cn.com 130******59 Guangzhou Guangdong
30 d437995f1d6d423f97ac2eae7b4e282ad02427b11c4c0742c581b9db7712bb70 a1589********#21cn.com 158******20 Xi’an Shaanxi
31 6a6024816aa0d58a0cb523e9e83f10ddd23bf1741884dfddf54ed3c7d4ccad66 fa134*********#21cn.com 134******05 Guangzhou Guangdong
32 22c81d8430694495ac3774cdbbfb9b8c9b6585a755695fc5e96335c146e2030a Dad******#21cn.com 183******02 Lianyungang Jiangsu
33 33fef68db6d75f702671826e0ed5380c0571642b61c43d207a065a83fc3d488c ads13*********#21cn.com 138******37 Pingdingshan Henan
34 e6a7a865dcda2a6f6803fcefb579c633243bd7f04aa1248c8970816cf5b73696 xsa1*********#21cn.com 131******13 Guangzhou Guangdong
35 0f4e6a203e4f5fa07a5389652312b7964582db2a52ff3fe3ac6c90c8d77b816b Nig********q#21cn.com 131******76 Guangzhou Guangdong
36 68a5719f0bb89340bef08eb6b975763567b2172c8835d76a9d3044d06ff1a137 Kiiu***#21cn.com 139******44 Pingdingshan Henan
37 6374cc4c64119070285101cd1777cd4fbeee05a7f5730f3a6c54804cb16ce46a ak136*********#21cn.com 136******54 Hebi Henan
38 33fef68db6d75f702671826e0ed5380c0571642b61c43d207a065a83fc3d488c fa134*******#21cn.com 134******05 Guangzhou Guangdong
39 e6a7a865dcda2a6f6803fcefb579c633243bd7f04aa1248c8970816cf5b73696 dad1*****#21cn.com 183******02 Lianyungang Jiangsu
40 0f4e6a203e4f5fa07a5389652312b7964582db2a52ff3fe3ac6c90c8d77b816b ads135********#21cn.com 138******37 Pingdingshan Henan
41 68a5719f0bb89340bef08eb6b975763567b2172c8835d76a9d3044d06ff1a137 xsa131*******#21cn.com 131******13 Guangzhou Guangdong
42 6374cc4c64119070285101cd1777cd4fbeee05a7f5730f3a6c54804cb16ce46a Nigejib*******#21cn.com 131******76 Guangzhou Guangdong
43 abc6371d90c18a0e3a20a4dd042864ef2b02aa6fc7964ce6ad107dda0c1316d1 Kiiu***#21cn.com 139******44 Pingdingshan Henan
44 d050e445be3c3c2439b8267aa52293f90f8ce69bcbd8d31008c1d1da7e1b10c7 ak136*********#21cn.com 136******54 Hebi Henan
45 28d3d7c4cd2405aa0da29593b43b86cba4974aaf7dcaeee00db332e9990e7fac Laow******#21cn.com 131******09 Shenzhen Guangdong
46 f3c0929f10da65168baf62a7cd17b8211183cf487fd15fecbad1d666c1ee34e6 Lao*******#21cn.com 130******59 Shenzhen Guangdong
47 7a7bef9d7bbbabc1bb16d1d8476fd0d48faffde0257f400bd5bd720736f8d207 Ye*******#21cn.com 155******54 Jinan Shandong
48 bbe118a3e3076d674c978732edfa14f77f610d899021d1af62ad04017ac08b5e a132*********#21cn.com 132******14 Jinan Shandong
49 7b318cf4bc31379a417024c69c4491a64d64cca898020eba3bf2b35bca3d1d54 Laoq*******#21cn.com 136******79 Luoyang Henan
50 ee1858f4d8dc15a87d2d98e91630978ba8144977d5fd7bb43b206853f35b41dc 306*******#qq.com
51 2319844669f5958a390d7fe85e4e7433dd6bdb138c0f4baf47813cdf3f775d65 qq130*********#21cn.com 132******32 Shenzhen Guangdong