Chinese phishing scum are deploying fake mobile base stations to spread malware in text messages that might otherwise get caught by carriers.
The Android scumware being spread isn’t new to China: known as the “Swearing Trojan” because of profanities in code comments, its authors are already under arrest. But the fake base station is a new vector, according to this research note from Check Point.
The base stations send SMS messages purport to be from China Telecom or China Unicom, offering a malicious URL apparently endorsed by a customer’s operator. Check Point says China’s Tencent has also seen a more conventional malware dropper in infected applications.
The trojan replaces the Android SMS application with its own, meaning it can steal message-based 2FA such as bank tokens; and it spreads from the infected user by sending phishing messages to victims’ contacts.
Check Point says it’s also seen Swearing use messages about work documents, photos/videos, app update notifications, and the perennial “nude celebrity” message.
Instead of command and control servers, the malware uses SMS to send information back to its masters, and since Tencent had reported arrests of people associated with Swearing, it looks like there are others associated with the campaign. ®