Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

“Swearing Trojan” Tactics Could Become Global Threat: Researchers

Check Point security researchers have warned that tactics employed by a mobile Trojan targeting users in China might become a worldwide threat when adopted by Western malware.

Check Point security researchers have warned that tactics employed by a mobile Trojan targeting users in China might become a worldwide threat when adopted by Western malware.

Called the “Swearing Trojan”, the threat was discovered not long ago by Tencent Security researchers, who revealed that the threat can steal bank credentials and other sensitive personal information from Android devices. The malware’s name comes from Chinese swear words that were found inside the malware’s code.

The Swearing Trojan can also bypass 2-factory authentication (2FA) security by replacing the original SMS app on the infected devices with an altered version, which allows it to intercept the one-time codes banks send to their users.

The malware was observed spreading through droppers that download malicious payloads on compromised devices, and via fake base transceiver stations (BTSs) that send phishing SMS messages purportedly coming from China Mobile and China Unicom, two of the largest Chinese telecom service providers. Similar tactics could be adopted by Western malware too, researchers say.

“Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware. Fake messages from people victims may be romantically involved with have also been seen in these attacks,” Check Point reveals.

Once the malware has infected a device, it starts sending automated phishing SMSs to the victims’ contacts. SMS messages spreading Swearing Trojan might also attempt to trick the victim into downloading a work related document, a picture of a memorable event or that of a cheating spouse, a video of a trending event, or even critical updates. The malware itself uses SMS or email to communicate with the command and control server.

As it turns out, the actors using this Trojan have been already arrested, but Check Point says the malware still remained active, likely because the attackers were part of a larger operation. What’s more, the researchers say that only email addresses were used in the initial campaign, but new attacks used other popular Chinese email service providers as well, including, and

Furthermore, new variants of the Swearing Trojan were observed in the wild recently, along with a trend to use Aliyun and other cloud service hosted email accounts. Some of these email addresses are using a mobile number as their user name, and inconsistencies between these numbers and the actual mobile number used in SMS suggest that the Trojan variants are repackaged at least twice.

“Many mobile malware discovered in the Chinese market in the past, such as HummingBad, turned out to be early birds which continued to spread worldwide. The widespread of the Swearing Trojan was achieved by using fake BTSs and automated phishing SMSs. Both of these threats can be adopted by western malware as well,” the researchers conclude.

Related: Millions Download HummingBad Variant via Google Play

Related: Android Malware Gang Makes $10,000 a Day: Report

Related: Android Trojan Intercepts Voice Call-Based 2FA: Symantec

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.