In China, cybercriminals are using fake mobile base stations to continue the spread of Swearing Trojan malware throughout the country.

Swearing Trojan, named after the Chinese swear words that appear in the code, can infect a device one of two ways: either by dropping malicious code through an infected device, or through a fake base transceiver station (BTS) that sends phishing SMS messages disguised as legitimate messages from telecom providers China Mobile or China Unicom.

The fake BTS phishing scam sends a realistic SMS message to unsuspecting users who are tricked into clicking an unsafe URL, automatically installing the Swearing Trojan malware. The SMS messages are generally from telecom providers or financial institutions, but instances have occurred where the link appears to be sent via personal contacts.

Once a device is infected, the malware may spread by sending further phishing requests to the original victim’s contacts. The phishing requests could come in the form of links disguised as work-related documents, photos or videos, trending events and celebrity scandals, or app update notifications.

Researchers also found that attackers may bypass two-factor authorization required by banking apps by replacing a legitimate SMS app with an alternate version on infected devices. The new SMS app is one with a backdoor, allowing cybercriminals to access messages. A request is sent to the financial institution through the banking app, and when the victim is sent a message from their bank with a verification code, the hacker can intercept the code and thereby access the user’s accounts and financial information.

Rather than communicating with a central command and control (C&C) server, like most malware, the Swearing Trojan malware communicates directly with hackers through SMS messages and email, making it more difficult to trace.

Tencent reported that the perpetrators of the Swearing Trojan scam were in custody following a police raid, however, it appears that activity is ongoing. The new concern that the CheckPoint researchers have is that Swearing Trojan could easily be adapted to infect devices outside of China as well. As past experience has shown, for example, with mobile malware Hummingbad, scams that were first discovered in the Chinese market were later found in other markets worldwide.