Mobile device and app security firm Zimperium has discovered a new capability in the notorious banking Trojan TrickMo. Some of the samples the company analyzed are able to steal a device’s unlock pattern or PIN.
This new feature enables the malefactor to operate on the device even while it is locked. To obtain the necessary unlock information, the malware shows a fake user interface that mimics the device’s legitimate unlock screen.
When users enter their unlock pattern or PIN, the data is transmitted to a PHP script along with the Android ID (a unique device identifier), enabling attackers to correlate the stolen credentials with the specific device.
Advanced Evasion Techniques
In September this year, cybersecurity firm Cleafy publicly disclosed this new variant of the Trojan. This variant, exhibited sophisticated evasion techniques like zip file manipulation and obfuscation, and raised concerns across the cybersecurity community.
Cleafy didn’t release specific Indicators of Compromise (IOCs), but further research by Zimperium identified 40 recent variants of this threat, 16 droppers and 22 active Command and Control (C2) as well as additional functionalities.
Zimperium said its analysis suggests that many of these samples remain undetected by the broader security community.
TrickMo’s Stealthy New Capabilities
TrickMo, known for its capabilities to intercept OTPs, record screens, exfiltrate data, and even execute remote control over infected devices, continues to evolve. The latest research indicates that these 40 variants maintain the same core capabilities as reported by Cleafy, including:
- OTP Interception
- Screen Recording
- Data Exfiltration
- Remote Control
- Auto-permission granting and auto-click on prompts
- Abuse of Accessibility Services
- Overlay Display for Credential Theft
These features allow TrickMo to infiltrate a device’s stored information comprehensively, exposing victims to potentially severe financial losses through unauthorized access to banking applications and other sensitive data.
Exposing Victims via C2 Servers
The investigation also led to successful access to several C2 servers where files containing approximately 13,000 unique IP addresses of victims were discovered. Geolocation analysis revealed the primary targets to be in Canada, the United Arab Emirates, Turkey, and Germany. While no data leakage was directly observed on these C2 servers, updates to the IP list indicate regular exfiltration of credentials whenever new devices are compromised.
The stolen data encompasses a broad range of credentials, not limited to banking details but also including those used for accessing corporate resources such as VPNs and internal sites. This highlights the need for strengthened mobile device security measures, as these devices increasingly serve as potential entry points for cyberattacks on organizations.
Most Targeted Applications and Industries
The data gathered has facilitated a more precise understanding of TrickMo’s targeted application categories. These include banking, corporate apps, and critical services, which are likely to result in data breaches with significant financial and operational impacts for the victims and affected organizations.
Given the increasing threat posed by TrickMo and similar malware, Zimperium advises businesses to implement robust Mobile Threat Defense (MTD) and Mobile Application Protection Suite (MAPS) solutions.
As TrickMo continues to evolve, experts recommend that individuals and organizations alike remain vigilant, adopt proactive defense measures, and stay informed on the latest developments in mobile malware tactics.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
