• Posted by: Michael Johnson
• September 14, 2024

New TrickMo Android Trojan Variant Evades Detection to Steal Credentials

Cybersecurity researchers have identified a new variant of the TrickMo Android banking trojan, which comes with enhanced capabilities to evade detection and capture victims' banking credentials by displaying fake login screens.

The trojan's latest iteration leverages malformed ZIP files and JSONPacker to bypass security measures, as noted by Cleafy security researchers Michele Roviello and Alessandro Strino. The trojan is installed through a dropper app with anti-analysis mechanisms, further complicating the detection and analysis process.

First detected by CERT-Bund in September 2019, TrickMo has a history of targeting Android devices, primarily in Germany, to intercept one-time passwords (OTPs) and two-factor authentication (2FA) codes for committing financial fraud. Originally linked to the now-defunct TrickBot e-crime gang, the malware has evolved over time, incorporating advanced anti-analysis and obfuscation techniques.

Key Capabilities of TrickMo:

1. Screen Recording and Keystroke Logging: TrickMo can record on-screen activity and log keystrokes, enabling it to capture sensitive user inputs.
2. SMS Interception and Notification Handling: The malware can intercept SMS messages and manage notifications, which allows it to steal authentication codes without user awareness.
3. On-Device Fraud (ODF): TrickMo can remotely control infected devices, conducting fraudulent activities directly from the victim’s phone.
4. Accessibility Services Exploitation: The malware takes advantage of Android’s accessibility services API to perform HTML overlay attacks, which involve displaying fake login screens over legitimate apps. It also automates clicks and gestures on the device, further aiding its malicious objectives.

The malicious dropper app discovered by Cleafy masquerades as the Google Chrome browser. Once installed, the app urges the victim to update Google Play Services. If the user proceeds, an APK file containing the TrickMo payload is downloaded, disguised as "Google Services."

TrickMo then prompts the victim to enable accessibility services, a legitimate Android feature designed to assist users with disabilities. However, in the hands of cybercriminals, these permissions give TrickMo extensive control over the device, enabling it to:

1. Intercept SMS messages and authentication codes.
2. Execute overlay attacks to steal user credentials.
3. Auto-accept permissions and prevent the uninstallation of apps.

Data Exposure Through Command-and-Control (C2) Server:

Cleafy's analysis revealed a misconfiguration in TrickMo’s command-and-control (C2) server, exposing 12 GB of sensitive data, including user credentials, photos, and more. This security lapse not only jeopardizes the victims’ data but also exposes it to further exploitation by other cybercriminals.

The C2 server hosts the HTML files used in the overlay attacks, with fake login pages mimicking services from banks such as ATB Mobile, Alpha Bank, and cryptocurrency platforms like Binance. This operational security (OPSEC) blunder on the part of TrickMo’s operators leaves victims vulnerable to identity theft, fraudulent transactions, and account hijacking.

Potential Consequences:

The trove of personal information extracted by TrickMo could be weaponized for identity theft, unauthorized fund transfers, and fraudulent purchases. Attackers could even lock victims out of their accounts by resetting passwords, causing significant financial and reputational damage.

Moreover, using personal information and images, attackers can craft phishing messages designed to trick victims into disclosing even more sensitive data or performing malicious actions.

Google's Response:

In response to the growing threat of sideloading malware, Google has been working to strengthen security around sideloaded apps. The company has introduced the Play Integrity API, enabling third-party developers to determine whether their apps have been sideloaded. If so, users are required to download the apps directly from Google Play to ensure continued use.