Swearing Trojan Continues to Rage, Even After Authors’ Arrest
Researchers with Tencent Security recently disclosed details about Swearing Trojan, a mobile banking malware that attacked users in China. Swearing Trojan’s name comes from Chinese swear words found inside the malware’s code. The malware infected a wide spread of Android users in China, stealing their bank credentials and other sensitive personal information.
Similar to mobile banking Trojans discovered previously, Swearing Trojan can steal personal data and it can bypass 2-factory authentication (2FA) security. Banking apps use two-factor authentication as a way to secure access by sending a one-time code to the user via SMS in addition to having a user enter his or her password. By replacing the original Android SMS app with an altered version of its own, Swearing Trojan can intercept incoming SMS messages, rendering two-factor authentication useless.
Swearing Trojan spreads using two primary infection methods:
- Droppers download malicious payloads once a user installs an infected app on a device.
- Attackers operate fake base transceiver stations (BTSs) that send phishing SMS messages masquerading as ones coming from Chinese telecom service providers China Mobile and China Unicom.
Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware. Fake messages from people victims may be romantically involved with have also been seen in these attacks.
Once an infected app is installed it asks the user for only screen lock-related permissions to avoid suspicion. After installation, the malware spreads by sending automated phishing SMSs to a victims’ contacts.
There are more phishing scams Swearing Trojan uses to spread:
- Work related documents: A fake SMS message coming from a manager asks the user to download and open an important document right away, and to reply to comments inside.
- Photos or videos: A fake SMS message claims to include a picture of a memorable event, or to be of a cheating spouse.
- Trending events: A recent example posed as a MMS message including a video of a cheating celebrity wife caught in action.
- App update notifications: An SMS message claims to be from a bank or telecom provider, and asks the user to install critical updates.
The Swearing Trojan doesn’t communicate with remote C&C servers. Instead it sends data back to an attacker using SMS or email. This provides the malware with good cover for its communications and hinders attempts to trace any malicious activity.
Although Tencent reports the attackers are in custody following a police raid, Check Point researchers detected additional activity made by the malware. So it’s possible that the attackers in custody were only part of a larger operation to spread the malware.
Since September 1, 2016, the Chinese government enforced real ID registration for all mobile numbers. If owners fail to submit real ID information to the telecomm service providers before the deadline, the mobile number is terminated. This new regulation should significantly reduce Swearing Trojan’s ability to spread using fake mobile numbers. However, phishing by email will still be an available attack vector for the malware.
In the original Tencent report, only 21cn.com email addresses were used. Check Point researchers have already seen the malware use other popular Chinese email service providers, such as 163.com, sina.cn and qq.com.
By March 2017, we still observe new Swearing Trojan variants in the wild. We also see the trend of making use of Aliyun and other cloud service hosted email accounts (e.g. qwewa.com, Shanghai Meicheng Technology Information Development Co., LTD.)
Some of these email addresses are using a mobile number as their user name. Judging from the inconsistency between the numbers in the email addresses and the actual mobile number used in SMS, we believe Swearing Trojan variants are repackaged at least twice.
Many mobile malware discovered in the Chinese market in the past, such as HummingBad, turned out to be early birds which continued to spread worldwide. The widespread of the Swearing Trojan was achieved by using fake BTSs and automated phishing SMSs. Both of these threats can be adopted by western malware as well. To protect your organization against these tactics, and many others, you should implement advanced solutions, such as the Check Point Mobile Threat Prevention.
Appendix 1 – list of SHAs of notable variants
| No. | SHA | Mobile | City | Province | |
| 1 | 3a8de6ad201f258ff3cabae8e82f7772a7ea29cb90bdf19a6f0f6df7e9524d5c | Chax********#163.com | 181******08 | Dongguan | Guangdong |
| 2 | 61d75ea62b13a01374ad7f756d41f7d2989fe1b873cb009feb307347036eda8f | aa15********7#21cn.com | 131******00 | Guangzhou | Guangdong |
| 3 | 35d646807e472c7b9e2d8237e98b6ed1ab5cc4b4e05f87fc100c0890fd212d84 | 1550*******#sina.cn | 135******44 | Beijing | Beijing |
| 4 | 5aca849153f56c895130b9119791f8909c9c3ab342f1948448bafe1bcf0122e8 | 1317*******#sina.cn | 155******57 | Zhongshan | Guangdong |
| 5 | 38418bc93bbe2afddfd75b8e11e724dcd71cda86bee1bedcfba363943559c1c6 | Ccti****#aliyun.com | 130******16 | Guangzhou | Guangdong |
| 6 | 1ec4232ed1ab16f75e9b883424e5b248b439100d9f0cc25e812b49b609e79254 | Laod********1#21cn.com | 156******09 | Suzhou | Guangdong |
| 7 | 95ae4e91540ee1a8bb5ed52a3e935adc797a283ef94dd8dcb7b9d0f90368d1d2 | Laoqi*******68#21cn.com | 131******09 | Shenzhen | Guangdong |
| 8 | db57cec5603f9f4c557f1a07fce05904a807de92838bd94eef095bc59547ca29 | Fac*****#21cn.com | 156******33 | Zhongshan | Guangdong |
| 9 | 425f634574cfbe5b361dd9b92913825ff08c05c371638f7401764faac3b297ed | a13********#21cn.com | 132******64 | Suzhou | Jiangsu |
| 10 | 134565cab9a104e1dcd96b299ba43c1b735a96731f1418effb4e1c27f1c2400a | a13********#21cn.com | 132******64 | Suzhou | Jiangsu |
| 11 | a880b70acbeb8f7b130eb4e4aa8273cfa02d02985cc0a5ec7b96a26bc681aa4e | a13********#21cn.com | 158******20 | Xi’an | Shaanxi |
| 12 | 1b0a139a9af39c54a070d7b867ae497340ddcfc48bdb75901293d7de9ca9b5bf | a13********#21cn.com | 158******20 | Xi’an | Shaanxi |
| 13 | 17da46d70f88d754436ff6b6df0d8a1f618f13bb9b27c70f4e7f6d5bde53932c | Lao*******#21cn.com | 131******24 | Yangzhou | Jiangsu |
| 14 | 1c4422c2c281b51e35ee2b4f14f9d77e6be1fd9155b6b5f8f63a673d435001fa | Lao*******125#21cn.com | 159******25 | Guangzhou | Guangdong |
| 15 | ad0371ac2e8b33f0b4e0b4b5243171c4c5b7c400cbd2f91cb54f2a632375dd5f | a13********3#21cn.com | 135******43 | Shenzhen | Guangdong |
| 16 | cba32feded6d8b8f6a9810c5be4eac9067e64617da547c39a5108ec6baea5fda | Mk*******#21cn.com | 155******47 | Taian | Shandong |
| 17 | 65a34d6dcfbf8d6f56e2708ba7c4d717d4dcb6af169bcd24b2e920353aaab74a | lao1********25#21cn.com | 159******25 | Guangzhou | Guangdong |
| 18 | 2dd770959588616bcada53cb07c914545ee9535be1270fa5b9df4e99b735e0a8 | Sdf********2#21cn.com | 130******30 | Guangzhou | Guangdong |
| 19 | 5384843a8855667d813d34d6b025cdc7dce49ed3a6d50292f6dc6bf20e8e0c0e | Cao*******#21cn.com | 130******59 | Shenzhen | Guangdong |
| 20 | cdff33b5761a5082e5c030af7de7c481a959a9ce50da45ac5720b63e904049d2 | Xiaoc**********#21cn.com | 156******86 | Suzhou | Jiangsu |
| 21 | 3c770ce835311f41af271111197b64be44787e49d883ff838e7393e7fb2e0785 | Xiaoc**********#21cn.com | 156******86 | Suzhou | Jiangsu |
| 22 | 7a1beb660d3550372c109cdb3a4dcdf8ab1a67488f24f9bc7555ffe34f1809f8 | Caon*******#21cn.com | 130******59 | Shenzhen | Guangdong |
| 23 | 5d9cb23cf35e16fd351307af77d69c85c29cebb840ff851a51c2bae36452e9bd | Fg*****#21cn.com | 132******57 | Jiangmen | Guangdong |
| 24 | 59e127e735ee5fa125c6afc0530154a3eb5e717ce2416f357934d0b7ef95091d | a15**********#21cn.com | 150******28 | Shenzhen | Guangdong |
| 25 | 45d8d74bf54f8f8059d46e05b2dc3536c670e18e62f27d6c657e35598e99775f | q13********#21cn.com | 131******52 | Jining | Shandong |
| 26 | 0b2a5a91e659f672fa13059d3b8c15c28ae77a37a2938a66a9d06f5910194ead | Lao***********#21cn.com | 131******09 | Shenzhen | Guangdong |
| 27 | 23ad457567b619a0cdb6858ffc7b47b400a02d9dd3a632d06337279a508b7b7a | kim5*******#21cn.com | 155******97 | Guangzhou | Guangdong |
| 28 | 6435133f38cfa7b05f9897a16cee451d20665d377d4eae7e5bd2100a5d2b15f1 | shun1*********4#21cn.com | 137******24 | Shenzhen | Guangdong |
| 29 | 509b471f8993ed60dd34b0c312572ee16e292d235d228d28de8cb75522e9e4b3 | a130********#21cn.com | 130******59 | Guangzhou | Guangdong |
| 30 | d437995f1d6d423f97ac2eae7b4e282ad02427b11c4c0742c581b9db7712bb70 | a1589********#21cn.com | 158******20 | Xi’an | Shaanxi |
| 31 | 6a6024816aa0d58a0cb523e9e83f10ddd23bf1741884dfddf54ed3c7d4ccad66 | fa134*********#21cn.com | 134******05 | Guangzhou | Guangdong |
| 32 | 22c81d8430694495ac3774cdbbfb9b8c9b6585a755695fc5e96335c146e2030a | Dad******#21cn.com | 183******02 | Lianyungang | Jiangsu |
| 33 | 33fef68db6d75f702671826e0ed5380c0571642b61c43d207a065a83fc3d488c | ads13*********#21cn.com | 138******37 | Pingdingshan | Henan |
| 34 | e6a7a865dcda2a6f6803fcefb579c633243bd7f04aa1248c8970816cf5b73696 | xsa1*********#21cn.com | 131******13 | Guangzhou | Guangdong |
| 35 | 0f4e6a203e4f5fa07a5389652312b7964582db2a52ff3fe3ac6c90c8d77b816b | Nig********q#21cn.com | 131******76 | Guangzhou | Guangdong |
| 36 | 68a5719f0bb89340bef08eb6b975763567b2172c8835d76a9d3044d06ff1a137 | Kiiu***#21cn.com | 139******44 | Pingdingshan | Henan |
| 37 | 6374cc4c64119070285101cd1777cd4fbeee05a7f5730f3a6c54804cb16ce46a | ak136*********#21cn.com | 136******54 | Hebi | Henan |
| 38 | 33fef68db6d75f702671826e0ed5380c0571642b61c43d207a065a83fc3d488c | fa134*******#21cn.com | 134******05 | Guangzhou | Guangdong |
| 39 | e6a7a865dcda2a6f6803fcefb579c633243bd7f04aa1248c8970816cf5b73696 | dad1*****#21cn.com | 183******02 | Lianyungang | Jiangsu |
| 40 | 0f4e6a203e4f5fa07a5389652312b7964582db2a52ff3fe3ac6c90c8d77b816b | ads135********#21cn.com | 138******37 | Pingdingshan | Henan |
| 41 | 68a5719f0bb89340bef08eb6b975763567b2172c8835d76a9d3044d06ff1a137 | xsa131*******#21cn.com | 131******13 | Guangzhou | Guangdong |
| 42 | 6374cc4c64119070285101cd1777cd4fbeee05a7f5730f3a6c54804cb16ce46a | Nigejib*******#21cn.com | 131******76 | Guangzhou | Guangdong |
| 43 | abc6371d90c18a0e3a20a4dd042864ef2b02aa6fc7964ce6ad107dda0c1316d1 | Kiiu***#21cn.com | 139******44 | Pingdingshan | Henan |
| 44 | d050e445be3c3c2439b8267aa52293f90f8ce69bcbd8d31008c1d1da7e1b10c7 | ak136*********#21cn.com | 136******54 | Hebi | Henan |
| 45 | 28d3d7c4cd2405aa0da29593b43b86cba4974aaf7dcaeee00db332e9990e7fac | Laow******#21cn.com | 131******09 | Shenzhen | Guangdong |
| 46 | f3c0929f10da65168baf62a7cd17b8211183cf487fd15fecbad1d666c1ee34e6 | Lao*******#21cn.com | 130******59 | Shenzhen | Guangdong |
| 47 | 7a7bef9d7bbbabc1bb16d1d8476fd0d48faffde0257f400bd5bd720736f8d207 | Ye*******#21cn.com | 155******54 | Jinan | Shandong |
| 48 | bbe118a3e3076d674c978732edfa14f77f610d899021d1af62ad04017ac08b5e | a132*********#21cn.com | 132******14 | Jinan | Shandong |
| 49 | 7b318cf4bc31379a417024c69c4491a64d64cca898020eba3bf2b35bca3d1d54 | Laoq*******#21cn.com | 136******79 | Luoyang | Henan |
| 50 | ee1858f4d8dc15a87d2d98e91630978ba8144977d5fd7bb43b206853f35b41dc | 306*******#qq.com | |||
| 51 | 2319844669f5958a390d7fe85e4e7433dd6bdb138c0f4baf47813cdf3f775d65 | qq130*********#21cn.com | 132******32 | Shenzhen | Guangdong |
You may also like
Navigating the Evolving Threat Landscape Ahead of Black Friday
Spotlight on Iranian Cyber Group Emennet Pasargad’s Malware
Hamas-linked Threat Group Expands Espionage and Destructive Operations