Cybersecurity researchers have discovered a new variant of an Android banking Trojan called TrickMo that boasts new features to evade analysis and display fake login screens to capture victims’ banking credentials.
“The mechanisms include the use of malicious ZIP files in combination with JSONPacker,” said Cleafy security researchers Michele Roviello and Alessandro Strino. “Furthermore, the application is installed through a dropper app that shares the same anti-analysis mechanisms.”
“These features are designed to evade detection and hinder cybersecurity experts’ efforts to analyze and mitigate the malware.”
First discovered by CERT-Bund in September 2019, TrickMo has a history of targeting Android devices, particularly users in Germany, and stealing one-time passwords (OTP) and other two-factor authentication (2FA) codes to commit financial fraud.
The mobile-focused malware, credited to the now-disbanded electronic crime group TrickBot, managed to fly under the radar for years by continually improving its obfuscation and anti-analysis capabilities.
Notable capabilities include recording screen activity, logging keystrokes, collecting photos and SMS messages, remotely controlling an infected device to perform on-device fraud (ODF), and abusing Android’s Accessibility Services API to perform HTML overlay attacks and perform clicks and gestures on the device.
The malicious dropper app, discovered by an Italian cybersecurity firm, poses as the Google Chrome web browser and, once installed and launched, prompts victims to click on the (Confirm) button to update Google Play services.
If users proceed with the update, an APK file containing the TrickMo payload disguised as “Google Services” is downloaded onto the device, after which the user is prompted to enable accessibility services for the new app.
“Accessibility services are designed to assist users with disabilities by providing alternative ways to interact with their devices,” the researchers wrote, “but when exploited by malicious apps like TrickMo, these services can provide extensive control over the device.”
“This privilege escalation allows TrickMo to perform a variety of malicious actions, including intercepting SMS messages, handling notifications to intercept or hide authentication codes, and performing HTML overlay attacks to steal user credentials. Additionally, the malware can override keyguard and auto-approval permissions, allowing it to seamlessly integrate into the device’s operation.”
Additionally, misusing Accessibility Services allows malware to disable important security features and system updates, automatically grant arbitrary permissions, and prevent certain apps from being uninstalled.
Cleafy’s analysis also revealed a misconfiguration of the command and control (C2) server, allowing it to access 12GB worth of sensitive data, including credentials and photos, stolen from the device without requiring authentication.
The C2 server also hosts HTML files used in the overlay attacks, which contain fake login pages for various services, including banks such as ATB Mobile and Alpha Bank, and cryptocurrency platforms such as Binance.
This security lapse not only highlights operational security (OPSEC) lapses by threat actors, but also puts victims’ data at risk of being misused by other threat actors.
The wealth of information exposed by TrickMo’s C2 infrastructure could be used to steal identities, compromise various online accounts, transfer fraudulent funds, or even make fraudulent purchases. Even worse, attackers could take over accounts and reset passwords, locking victims out.
“Using personal information and images, attackers can craft convincing messages to trick victims into revealing more information or carrying out malicious actions,” the researchers note.
“The misuse of such comprehensive personal data can result in immediate financial and reputational damage to victims, as well as long-term impacts, and recovery can be a complex and lengthy process.”
The disclosure comes as Google is closing a security hole around sideloading by allowing third-party developers to use the Play Integrity API to determine whether their apps have been sideloaded, and if so, require users to download the app from Google Play to continue using it.
