Stingray for criminals: spreading mobile malware with fake cellphone towers

Police who rely on vulnerabilities in crooks' devices are terminally compromised; the best way to protect crime-victims is to publicize and repair defects in systems, but every time a hole is patched, the cops lose a tool they rely on the attack their own adversaries.

Case in point: fake cellphone towers.

By design, cellphones mistrust their owners. Owners are not supposed to be able to see, control or alter the low-level communications their phones undertake with towers, lest they figure out how to avoid being billed for their calls and data use, or even attack other phones connected to the same tower.

This means that attacks against these low-level systems are extremely hard for phone owners to detect or prevent, which is why law enforcement has become so reliant on fake cell towers (called "dirtboxes," "stingrays" or "IMSI catchers") to spy on cellphone users and even inject malicious data into their streams.

Because this attack works best when the victim doesn't know it's possible, cops and prosecutors went to crazy lengths to keep it secret: lying to judges, raiding local police forces to steal their records, engaging in bulk-redaction of records — only to be outed by an obsessive jailhouse lawyer.

But security flaws in cellphones don't just make criminals vulnerable to attacks from cops: they leave everyone vulnerable to attacks on their phones.

Case in point: Swearing Trojan.

Swearing Trojan (named for the Chinese curse words sprinkled in its sourcecode) is a piece of mobile malware used to defeat 2-factor authentication systems like those that protect banking logins and corporate networks. By hiding in the phone, it is able to steal 2-factor messages and convey them to criminals at login time.

Swearing Trojan's author is in jail, but the malware lives on, and one of its most effective tools for spreading itself is through fake messages sent from fake cellphone towers — towers that are indistinguishable from real ones to victims' phones, because police have spent the past five years exploiting fake cellphone towers, rather than trying to get manufacturers to make them impossible.

Fake cellphone towers are easy and cheap to make, and they're devastatingly effective. Your phone could be connected to one right now and you'd never know. Think of all the data your phone protects — especially when it comes to two-factor authentication. That's the data that the security services have decided to sacrifice to make their jobs easier.

Attackers operate fake base transceiver stations (BTSs) that send phishing SMS messages masquerading as ones coming from Chinese telecom service providers China Mobile and China Unicom.

Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware. Fake messages from people victims may be romantically involved with have also been seen in these attacks.

Once an infected app is installed it asks the user for only screen lock-related permissions to avoid suspicion. After installation, the malware spreads by sending automated phishing SMSs to a victims' contacts.

Swearing Trojan Continues to Rage, Even After Authors' Arrest
[Feixiang He/Check Point]

(Image: PalmCellTower, Gary Minnaert, PD)

(via Beyond the Beyond)