There is a rather complex cyberattack campaign occurring in China. As reported by Infosecurity Magazine, the culprit is the “Swearing Trojan,” so named due to various expletives being found in the source code. The Trojan itself was identified by security professionals at the Chinese holding company Tencent, but since its discovery it has been analyzed by other companies.
Most notable of these is the software technology company Checkpoint. In a blog post, security researcher Feixiang He gave an in-depth exploration of the various infection points of the Swearing Trojan, as well as how it functions and what information it seeks. The malware’s goal is a rather common one. Swearing Trojan seeks the banking information of its victims and any other sensitive data that can be leveraged for financial gain.
Following infection, the Trojan can bypass two-factor authentication via “replacing the original Android SMS app with an altered version of its own,” subsequently intercepting any actual SMS data a bank may send. Additionally, the Swearing Trojan is able to be quite stealthy, as He points out that it “doesn’t communicate with remote C&C servers” instead sending “data back to an attacker using SMS or email.” This way the infected user is less likely to suspect that their device has been infected.
There are two primary ways that Swearing Trojan infiltrates users’ Android devices. The first is infected apps that immediately begin to deploy malicious payloads once the user has completed installation. The second is a rather complex and fascinating method. As Feixiang He explains in his report, “attackers operate fake base transceiver stations (BTSs) that send phishing SMS messages masquerading as ones coming from Chinese telecom service providers China Mobile and China Unicom.” This in turn leads to users clicking on malicious URLs that lead to the download of Swearing Trojan’s payload.
While the Trojan is still in the wild, there is some good news. It turns out that the hackers who deployed Swearing Trojan were not as stealthy as their malware, as they have been arrested following a major police operation. It is unknown, however, if these hackers were a part of an even greater collective that is spreading the Trojan further. The best defense that Feixiang He recommends, besides common sense, is implementing advanced threat detection software.
There have been reports of mutations of the Swearing Trojan code popping up in new malware attacks still to this day, so due diligence is required to fight back this growing threat. It won’t be long before this Chinese malware becomes an international problem.
Photo credit: Maia Valenzuela/Flickr