Cybersecurity researchers have discovered a new variant of an Android banking trojan known as TrickMo, which is equipped with new capabilities to evade analysis and present fake login screens to capture victims’ banking credentials.
“The mechanisms typically involve using malformed ZIP files along with JSONPacker,” stated Cleafy security researchers Michele Roviello and Alessandro Strino according to. “Moreover, the application is installed through a dropper app that utilizes similar anti-analysis techniques.”
“These functionalities are designed to avoid detection and impede cybersecurity experts’ attempts to analyze and mitigate the malware.”
Initially identified by CERT-Bund in September 2019, TrickMo has a history of targeting Android devices, specifically aiming at users in Germany to extract one-time passwords (OTPs) and other two-factor authentication (2FA) codes for financial fraud purposes.
TrickMo, a malware focused on mobile devices, is believed to be developed by the TrickBot e-crime group, continuously enhancing its obfuscation and anti-analysis features to remain undetected.
Prominent among its features are its ability to capture screen activity, log keystrokes, gather images and SMS messages, remotely control the infected device for on-device fraud (ODF), and exploit Android’s accessibility services API for HTML overlay attacks as well as executing clicks and gestures on the device.
The malicious dropper app identified by an Italian cybersecurity company masquerades as the Google Chrome browser and, upon launch after installation, prompts the user to update Google Play Services by clicking the Confirm button.
If the user proceeds with the update, an APK file containing the TrickMo payload is downloaded to the device disguised as “Google Services,” followed by a request to enable accessibility services for the new app.
“Accessibility services are intended to assist users with disabilities by providing alternative ways to interact with their devices,” explained the researchers. “However, when exploited by malicious apps like TrickMo, these services can grant extensive control over the device.”
“This elevated permission enables TrickMo to carry out various malicious actions, such as intercepting SMS messages, managing notifications to intercept or conceal authentication codes, and executing HTML overlay attacks to steal user credentials. Furthermore, the malware can dismiss keyguards and auto-accept permissions, allowing it to seamlessly integrate into the device’s operations.”
Additionally, the exploitation of accessibility services allows the malware to disable critical security features and system updates, grant permissions automatically, and prevent the removal of specific apps.
Cleafy’s investigation also unearthed misconfigurations in the command-and-control (C2) server, enabling access to 12 GB of sensitive data extracted from the devices, including credentials and images, without the need for authentication.
The C2 server additionally hosts HTML files utilized in overlay attacks, comprising fraudulent login pages for various services, including banks like ATB Mobile and Alpha Bank, and cryptocurrency platforms such as Binance.
This security flaw not only exposes a mistake in operational security (OPSEC) on the part of threat actors but also puts victims’ data at risk of exploitation by other malicious actors.
The extensive information revealed from TrickMo’s C2 infrastructure could be utilized for identity theft, unauthorized entry into various online accounts, illicit fund transfers, and fraudulent transactions. Furthermore, attackers could seize control of the accounts and lock victims out by resetting their passwords.
“Through personal information and images, the attacker can create convincing messages that deceive victims into revealing more information or executing malicious activities,” highlighted the researchers.
“Exploiting such comprehensive personal data leads to immediate financial and reputational harm and long-term repercussions for victims, involving a complex and prolonged recovery process.”
This disclosure coincides with Google’s efforts to address security vulnerabilities concerning sideloading, allowing third-party developers to determine if their apps are sideloaded using the Play Integrity API and, if so, mandate users to download the apps from Google Play to continue using them.