TrickMo Banking Trojan Can Now Seize Android PINs and Unlock Patterns
New versions of an Android banking trojan known as TrickMo have been discovered to possess previously unrecorded capabilities to snatch a device’s unlock pattern or PIN.
Regarding this new feature, Zimperium security researcher Aazim Yaswant stated in a recent analysis that “The addition of this functionality allows the malicious actor to operate on the device even when it is secured and locked.”
Initially identified in the wild in 2019, TrickMo derives its name from its links to the TrickBot cybercrime faction and can enable remote access to compromised devices, as well as pilfering OTPs sent via SMS and showing overlay screens to acquire login credentials by exploiting Android’s accessibility services.
In a recent disclosure, the Italian cybersecurity firm Cleafy highlighted updated iterations of the mobile malware with enhanced tactics to dodge analysis and gain supplementary permissions to carry out unauthorized activities on the device, including executing illicit financial transactions.
Several of the recent mutations of the malicious software have also been outfitted to collect the device’s unlock pattern or PIN by displaying to the user a deceptive User Interface (UI) that emulates the legitimate unlock screen of the device.
The UI is crafted as an HTML page hosted on an external website and exhibited in full-screen mode, creating the illusion of a genuine unlock screen.
If unwitting users enter their unlock pattern or PIN, along with a distinct device identifier, this data is sent to a server controlled by the attacker (“android.ipgeo[.]at“) in the form of an HTTP POST request.
Zimperium highlighted that the insufficient security measures on the C2 servers enabled a peek into the types of data stored within them, which include records with roughly 13,000 distinct IP addresses, predominantly geolocated in Canada, the U.A.E., Turkey, and Germany.
“These stolen credentials encompass not just banking details but also extend to those utilized for accessing corporate assets like VPNs and internal web portals,” emphasized Yaswant. “This emphasizes the critical importance of safeguarding mobile devices, given their potential as a primary ingress point for cyber breaches on organizations.”
Another noteworthy aspect is the expansive scope of TrickMo’s target base, gathering information from apps across multiple genres such as finance, business, employment, online shopping, stock trading, social networking, video streaming, gaming, secured network access tools, government services, educational resources, telecommunication utilities, and medical institutions.
This development occurs amidst the emergence of a fresh ErrorFather Android banking trojan campaign that utilizes a variant of Cerberus for perpetrating financial deception.
“The appearance of ErrorFather underscores the persistent threat posed by repurposed malware, as cybercriminals persist in exploiting leaked source code long after the original Cerberus malware was exposed,” as stated by the Broadcom-owned Symantec commentary.
Based on findings from Zscaler ThreatLabz, financially-motivated mobile attacks involving banking malware have witnessed a 29% surge during the period between June 2023 to April 2024, compared to the preceding year.
India emerged as the primary target for mobile attacks within this timeframe, enduring 28% of all attacks, with the United States, Canada, South Africa, the Netherlands, Mexico, Brazil, Nigeria, Singapore, and the Philippines following suit.
About Author
