Home / malwarePDF  

Swearing Trojan


First posted on 24 March 2017.
Source: SecurityHome

Aliases :

There are no other names known for Swearing Trojan.

Explanation :

The malware infected a wide spread of Android users in China, stealing their bank credentials and other sensitive personal information.

Similar to mobile banking Trojans discovered previously, Swearing Trojan can steal personal data and it can bypass 2-factory authentication (2FA) security. Banking apps use two-factor authentication as a way to secure access by sending a one-time code to the user via SMS in addition to having a user enter his or her password. By replacing the original Android SMS app with an altered version of its own, Swearing Trojan can intercept incoming SMS messages, rendering two-factor authentication useless.

Swearing Trojan spreads using two primary infection methods:

  • Droppers download malicious payloads once a user installs an infected app on a device.

  • Attackers operate fake base transceiver stations (BTSs) that send phishing SMS messages masquerading as ones coming from Chinese telecom service providers China Mobile and China Unicom.


Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware. Fake messages from people victims may be romantically involved with have also been seen in these attacks.

Once an infected app is installed it asks the user for only screen lock-related permissions to avoid suspicion. After installation, the malware spreads by sending automated phishing SMSs to a victims' contacts.

There are more phishing scams Swearing Trojan uses to spread:
  • Work related documents: A fake SMS message coming from a manager asks the user to download and open an important document right away, and to reply to comments inside.

  • Photos or videos: A fake SMS message claims to include a picture of a memorable event, or to be of a cheating spouse.

  • Trending events: A recent example posed as a MMS message including a video of a cheating celebrity wife caught in action.

  • App update notifications: An SMS message claims to be from a bank or telecom provider, and asks the user to install critical updates.


The Swearing Trojan doesn't communicate with remote C&C servers. Instead it sends data back to an attacker using SMS or email. This provides the malware with good cover for its communications and hinders attempts to trace any malicious activity.

Last update 24 March 2017

 

TOP