• Posted by: Michael Johnson
• October 16, 2024

TrickMo Android Trojan Updated to Steal Unlock Patterns and PINs

New variants of the TrickMo Android banking trojan have been identified, harboring advanced capabilities to steal device unlock patterns and PINs, enabling threat actors to operate on infected devices even when they are locked.

According to Zimperium security researcher Aazim Yaswant, this feature allows attackers to gain remote control over the device, leveraging Android's accessibility services to perform malicious actions like stealing SMS-based one-time passwords (OTPs) and displaying fake overlay screens to capture sensitive credentials.

TrickMo, which first appeared in 2019, is linked to the notorious TrickBot cybercrime group and has continuously evolved. Recent updates include improved methods to evade security analysis and gain additional permissions on the infected device. Among the most concerning additions is a fake unlock screen that mimics the device’s actual UI. This deceptive screen is hosted externally and displayed in full-screen mode, tricking users into entering their unlock patterns or PINs.

Once entered, these details are sent to an attacker-controlled server (android.ipgeo[.]at) via an HTTP POST request, allowing cybercriminals to access the device and carry out unauthorized transactions or further malicious activity.

Zimperium's research revealed that approximately 13,000 unique IP addresses were found in the malware’s command-and-control (C2) servers, with most of them geolocated in Canada, the U.A.E., Turkey, and Germany.

The danger posed by TrickMo extends beyond banking credentials. The malware can steal credentials used for corporate resources, such as VPNs and internal websites, emphasizing the need to protect mobile devices from such threats. TrickMo has also been found to target a wide range of applications, including banking, e-commerce, government, healthcare, and social media platforms.

The discovery of these new features comes alongside the rise of another Android banking malware campaign called ErrorFather, which repurposes the Cerberus malware for financial fraud. According to Symantec, this highlights the ongoing threat of repurposed malware, as cybercriminals continue to exploit the leaked source code of older malware strains.

Research by Zscaler ThreatLabz shows that mobile attacks involving banking malware have increased by 29% between June 2023 and April 2024. India was the top target for mobile banking attacks during this period, accounting for 28% of all attacks, followed by the U.S., Canada, South Africa, and other countries.