Chinese Hackers Spread Android Banking Trojan Using Fake Cellphone Tower

According to a Check Point Software blog, Chinese hackers using a rogue cell phone tower, have taken smishing to the next level. The hackers ar distributing Android banking malware via spoofed SMS messages from these rogue cell towers.

Security researchers at Check Point discovered that Chinese hackers are using fake base transceiver stations (BTS towers) to distribute “Swearing Trojan,” an Android banking malware.

Smishing  — phishing attacks sent via SMS — is a type of attack where bad guys use a spoofing attack to send convincing bogus messages to trick mobile users into downloading a malware app onto their smartphones or lures victims into giving up sensitive information. The maximum range of a BTS antenna is about 10-22 miles, so this technique is very successful and sophisticated in targeted attacks.

This is the first ever reported real-world case

This is the first ever reported real-world case in which the bad guys used BTS — a piece of equipment usually installed on cellular telephone towers — to spread malware.

The phishing SMS, which masquerades itself as the one coming from Chinese telecom service providers China Mobile and China Unicom, contains very convincing text with a link to download malicious Android APK. Since Google Play Store is blocked in China, the SMS easily tricks users into installing the APK from an untrusted source.

Check Point said in their blog post: “Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware,”

Once installed, the Swearing malware distributes itself by sending automated phishing SMSes to a victim’s contacts.

No Command & Control Servers

Noteworthy is that to avoid detection, the Swearing trojan doesn’t connect to a C&C server but uses SMS or emails to send stolen data back to the bad guys. Check Point said: “This provides the malware with good cover for its communications and hinders attempts to trace any malicious activity.”