40 new variants of the TrickMo Android banking Trojan have been observed in the wild, linked to 16 droppers and 22 separate command-and-control (C2) infrastructures designed to steal Android PINs. Comes with new features.
This follows an earlier report by Clafy that looked at some, but not all, variants currently in circulation, reported by Zimperium.
TrickMo was first documented by IBM X-Force in 2020, but is believed to have been used to attack Android users since at least September 2019.
Fake lock screen steals Android PIN
Key features of the new TrickMo version include one-time password (OTP) interception, screen recording, data exfiltration, remote control, and more.
The malware attempts to exploit strong accessibility services permissions to grant itself additional privileges and automatically tap on prompts when needed.
As a banking Trojan, it provides users with an overlay of phishing login screens from various banks and financial institutions to steal the user’s account credentials and allow the attacker to perform fraudulent transactions.
Source: Zimperium
Zimperium analysts analyzing these new variants have also reported new deceptive unlock screens that mimic real Android unlock prompts and are designed to steal users’ unlock patterns or PINs. Masu.
“The deceptive user interface is an HTML page hosted on an external website that appears in full-screen mode on the device and appears to be a legitimate screen,” Zimperium explains.
“When the user enters an unlock pattern or PIN, the page sends the retrieved PIN or pattern details along with the unique device identifier (Android ID) to the PHP script.”
Source: Zimperium
Stealing the PIN allows an attacker to unlock the device and perform fraud on the device during times when it is not actively being monitored (perhaps late at night).
exposed victim
Because the C2 infrastructure was inadequately secured, Zimperium was able to confirm that at least 13,000 victims were affected by the malware. Most of the victims are in Canada, with significant numbers also found in the United Arab Emirates, Türkiye, and Germany.
Source: Zimperium
According to Zimperium, this number equates to “several C2 servers,” so the total number of TrickMo victims could be even higher.
“Our analysis revealed that the IP list file is regularly updated each time the malware successfully compromises credentials,” Zimperium explains.
“We discovered millions of records within these files, representing a large number of compromised devices and a large amount of sensitive data accessed by threat actors.”
Clafy had previously withheld evidence of the breach from the public due to a misconfigured C2 infrastructure that could have exposed victims’ data to the broader cybercriminal community. Zimperium has chosen to post everything to this GitHub repository.
However, TrickMo’s target scope appears to be broad enough to encompass app types (and accounts) beyond banking, including VPNs, streaming platforms, e-commerce platforms, trading, social media, recruiting, and enterprise platforms.
While Clafy had previously withheld evidence of a breach from the public due to a misconfigured C2 infrastructure that could expose victims’ data to the broader cybercriminal community, Zimperium I have chosen to post it to this GitHub repository.
TrickMo is currently being spread through phishing, so to minimize the chance of infection, avoid downloading APKs from URLs sent via SMS or Direct Message from people you don’t know.
Google Play Protect identifies and blocks known variants of TrickMo, so ensuring TrickMo is active on your device is key to protecting against malware.
