Attackers in China are using rogue cell base stations to spread versions of an Android banking Trojan that steals user credentials and has the ability to bypass two-factor authentication.
The malware, known as the Swearing Trojan for some impolite language found in the Chinese code, has been in circulation for several months and uses a number of different methods to spread, including traditional phishing emails and SMS messages. The most sophisticated method, though, is the use of the fake base transceiver stations, which the attackers employ to send SMS messages to victims. The texts appear to come from a Chinese telecom operator and contain a link that will infect the user’s device with the malware.
“Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware. Fake messages from people victims may be romantically involved with have also been seen in these attacks,” Fixing He, a mobile security researcher at Check Point, said in an analysis of the malware.
“Once an infected app is installed it asks the user for only screen lock-related permissions to avoid suspicion. After installation, the malware spreads by sending automated phishing SMSs to a victims’ contacts.”
The use of the fake cell tower to attack users is an interesting and troubling evolution of the malware infection cycle. Attackers are always trying to find new methods to infect victims, and while typical phishing scams still work, more creative vectors can be effective, as well. Some cybercrime gangs have been using SMS phishing scams for a long time, but combining that tactic with the use of the fake BTS helps increase the effectiveness of the technique.
After it’s on a new device, the Swearing Trojan goes to work stealing the user’s banking credentials. It also has the ability to intercept 2FA codes from a victim’s bank.
“Banking apps use two-factor authentication as a way to secure access by sending a one-time code to the user via SMS in addition to having a user enter his or her password. By replacing the original Android SMS app with an altered version of its own, Swearing Trojan can intercept incoming SMS messages, rendering two-factor authentication useless,” He said.
Although the Swearing malware is only seen in China, He said it’s likely that the Trojan’s tactics will find their way into other pieces of malware soon.
“The widespread of the Swearing Trojan was achieved by using fake BTSs and automated phishing SMSs. Both of these threats can be adopted by western malware as well.”