TrickMo Banking Trojan Exposed Android PINs and Unlock Patterns
New versions of a banking trojan for Android known as TrickMo have been discovered with previously unrecorded capabilities to pilfer an Android device’s secret code or unlock design.
“The introduction of this fresh component allows the malicious user to operate on the apparatus even while it remains locked,” said Zimperium security researcher Aazim Yaswant stated in an analysis released last week.
Initially identified in real-world scenarios in 2019, TrickMo received its name due to its links with the TrickBot cybercrime organization and possesses the capability to offer remote dominance over contaminated gadgets, in addition to stealing SMS-based one-time passwords (OTPs) and producing overlay screens to harvest credentials by misusing Android’s accessibility features.
In the previous month, Italian cybersecurity firm Cleafy uncovered updated editions of the mobile malware with enhanced strategies to dodge scrutiny and grant itself added permissions to carry out various malevolent operations on the device, including executing unauthorized transactions.
Several of the recent versions of the malware have also been outfitted to gather the device’s unlock pattern or PIN by presenting a deceiving User Interface (UI) to the target that imitates the device’s authentic unlock display.
The User Interface takes the form of an HTML page hosted on an external site and exhibited in full-screen mode, creating the illusion of being a bona fide unlock screen.
If unsuspecting individuals input their unlock pattern or PIN, the details, along with a unique device identifier, get sent to a server controlled by an attacker (“android.ipgeo[.]at“) through an HTTP POST request.
Zimperium noted that the absence of satisfactory security measures for the C2 servers facilitated the ability to gain insight into the types of data stored within them. This encompasses documents containing approximately 13,000 distinctive IP addresses, most of which are geographically pinpointed to Canada, the U.A.E., Turkey, and Germany.
“These stolen credentials encompass more than just banking details, extending to those utilized to reach enterprise resources like VPNs and internal websites,” Yaswant remarked. “This underscores the paramount importance of securing mobile devices as they can serve as a primary point of entry for cyberattacks against organizations.”
Another noteworthy facet is the extensive targeting of TrickMo, harvesting data from apps across various sectors such as banking, corporate, employment and recruitment, e-commerce, stock trading, social networking, media streaming, hobbies, government, schooling, telecommunications, and healthcare.
This development arises amidst the introduction of a new ErrorFather Android banking trojan initiative that leverages a version of Cerberus to perpetrate financial deceit.
“The arrival of ErrorFather accentuates the enduring menace of repurposed malware, as cybercriminals proceed to capitalize on leaked source code years following the original discovery of the Cerberus malware,” Broadcom-owned Symantec stressed.
In accordance with statistics from Zscaler ThreatLabz, financially motivated mobile assaults involving banking malware have experienced a 29% surge during the time frame from June 2023 to April 2024, in comparison to the previous year.
India emerged as the primary target for mobile attacks during this period, encountering 28% of all attacks, followed by the U.S., Canada, South Africa, the Netherlands, Mexico, Brazil, Nigeria, Singapore, and the Philippines.
About Author
