A fresh variant of the Android banking trojan TrickMo has been unearthed by cybersecurity experts. This variant is equipped with new functionalities to evade analysis and present counterfeit login screens to acquire users’ banking credentials.
“The strategies involve utilizing corrupted ZIP files in conjunction with JSONPacker,” stated Cleafy security researchers Michele Roviello and Alessandro Strino revealed. “Moreover, the application is deployed via a dropper app that implements the same anti-analysis techniques.”
“These features are crafted to dodge detection and impede cybersecurity professionals’ attempts to scrutinize and counteract the malware.”
Initially discovered in the wild by CERT-Bund in September 2019, TrickMo has a track record of targeting Android devices, especially focusing on users in Germany to pilfer one-time passwords (OTPs) and other two-factor authentication (2FA) codes to facilitate financial fraud.
The malware geared towards mobile devices is believed to be the handiwork of the now-defunct TrickBot e-criminal gang, which has consistently enhanced its obfuscation and anti-analysis attributes over time to evade detection.
Outstanding among its characteristics is its capacity to capture screen actions, log keystrokes, collect photos and SMS messages, remotely govern the afflicted device to carry out on-device fraud (ODF), and exploit Android’s accessibility services API to execute HTML overlay assaults as well as implement clicks and gestures on the device.
The malicious dropper app identified by the Italian cybersecurity firm poses as the Google Chrome web browser, which, when triggered post-installation, prompts the user to upgrade Google Play Services by hitting the Confirm button.
If the user proceeds with the update, an APK file containing the TrickMo payload is downloaded to the device under the guise of “Google Services,” followed by a request for enabling accessibility services for the new app.
“Accessibility services are created to aid users with disabilities by offering alternate methods to interact with their devices,” the researchers explained. “Nevertheless, when misused by malicious apps like TrickMo, these services can bestow extensive control over the device.”
“This heightened authorization permits TrickMo to carry out various malevolent actions, including intercepting SMS messages, handling notifications to snag or mask authentication codes, and executing HTML overlay assaults to pilfer user credentials. Furthermore, the malware can bypass keyguards and automatically grant permissions, permitting it to seamlessly assimilate into the device’s operations.”
Moreover, abusing the accessibility services empowers the malware to incapacitate vital security features and system updates, automatically authorize permissions, and thwart the removal of specific apps.
Cleafy’s analysis also unveiled misconfigurations in the command-and-control (C2) server that granted access to 12 GB of sensitive data exfiltrated from the devices, encompassing credentials and pictures, without requiring any validation.
The C2 server also serves the HTML files utilized in the overlay attacks. These files integrate counterfeit login pages for different services, including banks like ATB Mobile and Alpha Bank and cryptocurrency platforms such as Binance.
The security omission not only exposes the operational security (OPSEC) misstep by the threat actors but likewise jeopardizes the data of victims to exploitation by other malicious parties.
The plethora of information exposed from TrickMo’s C2 infrastructure could be exploited for identity theft, unauthorized access to various online accounts, illicit fund transfers, and even fraudulent transactions. Even worse, assailants could seize control of the accounts and lock out the victims by resetting their passwords.
“With personal data and images, the attacker can fabricate convincing messages to deceive victims into revealing more information or executing malicious acts,” the researchers emphasized.
“Exploiting such detailed personal information leads to immediate financial and reputational harm and long-lasting repercussions for the victims, making recovery a convoluted and protracted process.”
The revelation comes as Google has been sealing the security vulnerabilities surrounding sideloading to enable third-party developers ascertain whether their apps are sideloaded using the Play Integrity API and, if so, mandate users to obtain the apps from Google Play to continue their usage.
About Author
