Security experts have uncovered a sophisticated cyber-attack campaign in China designed to spread Android malware via fake mobile base stations.
The “Swearing Trojan” malware – so named because of the Chinese expletives found in its code – was first discovered by Chinese web giant Tencent’s security business.
It’s designed to steal personal info and even bypass banks’ two-factor authentication systems by intercepting incoming SMS codes for account log-ins.
Most interestingly it has been observed spreading via fake base transceiver stations (BTSs), which are operated by the attackers. These send phishing texts to the targeted phones spoofed to appear as if they came from telcos China Mobile and China Unicom.
“Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware. Fake messages from people victims may be romantically involved with have also been seen in these attacks,” explained Check Point mobile security researcher, Feixiang He.
“Once an infected app is installed it asks the user for only screen lock-related permissions to avoid suspicion. After installation, the malware spreads by sending automated phishing SMSs to a victims’ contacts.”
Crucially, the Trojan doesn’t communicate with a C&C server but sends back any information obtained to the attacker via text or email, helping it stay undercover.
Other phishing tactics used to spread the malware include fake app update notifications; malicious MMS messages related to trending events; and work-related documents.
He warned that such tactics could be used outside of China if cyber-criminals elsewhere see them performing well.
“Many mobile malware discovered in the Chinese market in the past, such as HummingBad, turned out to be early birds which continued to spread worldwide,” he said. “The widespread use of the Swearing Trojan was achieved by using fake BTSs and automated phishing SMSs. Both of these threats can be adopted by western malware as well.”
Michael Downs, director of telecoms security at Positive Technologies, explained that detecting fake base stations can be tricky, so it’s not clear how widespread the practice is.
“The issue is that the equipment to create a fake tower is legitimately available and relatively inexpensive to purchase. For those lacking the technical prowess, ‘how to’ guides can be found online. If that’s not worrying enough, there are even ready-made solutions traded where all that’s needed is to switch it on,” he added.
“That said, operators could do more to keep track of their radio perimeter. Analyzing radio signals can help identify fake BTS and, with the use of triangulation, pinpoint the location so fake towers can be disassembled.”