Malware authors in China are using fake base transceiver stations (BTSs), which is equipment usually installed on cellular telephone towers, to send spoofed SMS messages that contain links to Android malware.

This is the first ever reported case when malware authors have used base stations to spread malware, a trend that Avast predicted in 2014, but which never came to fruition until now.

Fake BTS attacks spread Swearing trojan

The attacks spread an Android malware strain called Swearing, named so because its source code contains many Chinese curse words. Discovered last year by security researchers from Tencent Security, this malware was and is only active in China.

The way the Swearing group deploys its malware is unique and unseen with any other Android malware gang.

Crooks are using rogue BTS equipment to trap nearby mobile devices into a separate mobile network. Here they send SMS messages to the victim, spoofed to appear like they come from their mobile provider. Attacks have been observed with SMS messages spoofed for providers such as China Mobile and China Unicom.

The SMS messages contain links to malicious APK (Android application) files that users must install. Because the Google Play Store is blocked in China, locals are accustomed to installing APKs from untrusted sources, so the social engineering factor is not a big hurdle if you get the user to access the URL in the first place.

"Swearing" is an all-around threat

These APKs contain the Swearing trojan, which is an all-around threat that can collect personal user data from infected devices, show phishing messages to collect login credentials, and intercept SMS messages to bypass two-factor authentication systems or other one-time code systems used by Chinese banks.

Tencent says that in some cases, the Swearing gang used different themes for their SMS lures, such as links to photos or videos of a cheating spouse, from recent trending events, or of a cheating celebrity wife caught in the act.

Nonetheless, the most efficient lures are the standard ones, SMS messages coming from telco providers or banks offering users download links to a critical update of their mobile app.

While some members of the Swearing gang have been apprehended by Chinese authorities last year, it appears that attacks using the Swearing malware and cellular base stations have continued to take place after the arrests.

Swearing's tactics expected to spread worldwide

Check Point reported today new attacks with slightly modified versions of the Swearing malware.

The Israel-based security firm also cites the case of HummingBad, an Android trojan that also started on the proficient Chinese mobile malware market, only to spread with attacks on global targets, becoming one of today's most prevalent Android malware strains.

Just like HummingBad, attacks with Swearing are expected to spread to other countries, especially due to the efficiency of using BTS equipment to entrap and trick users into installing the malware payload.

In August 2016, mobile security firm Zimperium has published research that highlighted a vast array of vulnerabilities in BTS equipment used by many mobile telecommunications providers. Crooks can use these flaws to take over existing cellular towers, meaning they don't necessarily need to buy custom BTS devices to spread their malware.

Photo by Ervins Strauhmanis