Swearing Trojan Exploit Overview

Swearing Trojan Exploit Overview

abril 3, 2017 | Adeline Zhang

Author: Cody Mercer – Senior Threat Intelligence Researcher

Executive Overview

A new mobile banking Trojan titled ‘Swearing Trojan’ has been discovered by Tencent Security and Checkpoint researchers. The odd name of the malware is in part attributed to the various Chinese swear words sparsely distributed in the source code. The primary attributes associated with the compromised victims includes theft of sensitive personal information, or PII, and of course the users banking credentials.

Moreover, the Trojan is capable of bypassing 2-factor authentication and has reeked the majority of its havoc in various China provinces on users that utilize android hand-held smart devices. Once a victim has been compromised it is possible that the Trojan will also spread the malware to all the contacts within the user’s phone.

Threat Campaign

As previously mentioned the Swearing Trojan is capable of bypassing 2FA and infiltrates its victims in several ways. The primary means to deploy it payload is through users unsuspectingly downloading an infected app on to their smart phone which in turn propagates itself onto the user’s device.

Additionally, the payload is distributed via fake base transceiver stations (FTS) operated by the attackers that send SMS messages. The SMS messages deceive their victims into believing that their origin is from reputable Chinese telecom service providers China Mobile and China Unicom.

Attack Vectors

The Swearing Trojan deploys itself primarily through SMS messaging using one or more of the various TTP’s (Technics, Tactics, and Procedures):

a.) Notifications sent to a user’s phone from a particular bank advising the immediate need to update the app via the included hyperlink

b.) Media in the form of pictures and videos that once clicked on deploys its payload onto the hand-held device

c.) Attackers claiming to be Corporate managers sending out documents that need to be downloaded and opened

Seemingly, the Swearing Trojan does not communicate with a CnC (Command and Control) center once 2FA has been bypassed. This technique permits for communication between attacker and victim through email or SMS masking its deception and hindering tracing and location identification of the attacker.


NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.

 For more information about NSFOCUS, please visit:



He, F. (2017). Swearing Trojan Continues to Rage, Even After Author’s Arrest. Retrieved from: http://blog.checkpoint.com/2017/03/21/swearing-trojan-continues-rage-even-authors-arrest/