Cleafy’s Threat Intelligence team has uncovered a new variant of the TrickMo Android banking Trojan. Initially classified as an unknown malware sample, deeper analysis revealed it as a TrickMo variant with some new anti-analysis features, making detection more difficult and posing a significant threat to mobile banking users.
TrickMo’s Evolution
TrickMo, first identified by CERT-Bund in 2019, has a long history of targeting Android devices to carry out financial fraud. It initially gained infamy for intercepting one-time passwords (OTPs) and other two-factor authentication (2FA) mechanisms, focusing on European banking applications, particularly in Germany.
The Trojan evolved from the notorious TrickBot malware, which mainly targeted Windows systems. As cybersecurity defenses improved, TrickBot’s authors expanded to Android devices, creating TrickMo to achieve their malicious objectives.
Key features of the malware include:
- OTP Interception: TrickMo intercepts OTPs sent via SMS or authenticator apps, allowing malefactors to bypass 2FA and carry out fraudulent transactions.
- Screen Recording and Keylogging: The malware captures sensitive information such as login credentials and PINs.
- Remote Control: Threat actors can control infected devices remotely, perform transactions, and modify settings without user knowledge.
- Accessibility Service Abuse: TrickMo exploits Android’s accessibility services to manipulate device permissions and access data from other apps.
- Advanced Obfuscation: Constantly evolving, TrickMo uses sophisticated techniques to evade detection by cybersecurity researchers.
Data Stored in Unsecured Endpoints
The Cleafy team found critical details about TrickMo’s command-and-control (C2) infrastructure. Through the malware’s communication with its C2 server, bad actors manage operations on infected devices and exfiltrate sensitive data. A particularly concerning revelation was that the stolen data is stored in unsecured endpoints, which could be accessed by multiple bad actors, exposing victims to further threats.
The C2 server facilitates a slew of malicious activities, including relaying commands and gathering detailed information about the infected device, such as phone numbers and installed apps. Attackers then tailor their activities based on the specific device, heightening the efficacy of their campaigns.
One of the standout features is the “Clicker” configuration, which enables automated actions on the device via Android’s Accessibility Service. TrickMo can disable security features, block system updates, and prevent app uninstallation, giving attackers near-complete control over the device.
Data Leak Risks
Another alarming finding was a massive data leak from TrickMo’s C2 server. Misconfigurations in the infrastructure enabled the researchers to get their hands on 12 GB of stolen data, such as passports, credit card details, and other personal documents, raising the stakes for potential identity theft, blackmail, and phishing attacks.
Third-party attackers can easily access this information without proper authentication mechanisms, increasing the risk for victims.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.