New variants of an Android banking trojan called TrickMo have been found to contain previously undocumented features to steal a device’s unlock pattern or PIN.
“This new addition allows a threat actor to act on a device even if it’s locked,” said Zimperium security researcher Aazim Yaswant said in an analysis published last week.
First spotted in the wild in 2019, TrickMo is named for its association with cybercriminal group TrickBot and is capable of providing remote control of infected devices, as well as stealing SMS-based one-time passwords (OTPs) and displaying overlays to capture credentials by abusing accessibility services Android.
Last month, Italian cybersecurity company Cleafy opened updated versions of the mobile malware with improved mechanisms to evade analysis and grant itself additional permissions to perform various malicious actions on the device, including conducting unauthorized transactions.
Some of new options The malware has also been equipped to collect the device’s unlock pattern or PIN by presenting victims with a deceptive user interface (UI) that mimics the device’s actual unlock screen.
A UI is an HTML page that is hosted on an external website and displayed in full screen mode, giving the impression that it is a legitimate unlock screen.
When an unsuspecting user enters their unlock pattern or PIN, the information, along with the device’s unique identifier, is transmitted to a server controlled by the attacker (“android.ipgeo(.)at») in the form of an HTTP POST request.
Zimperium said the lack of proper protection of C2’s servers allowed it to gain insight into the types of data stored on them. This includes files from approximately 13,000 unique IP addresses, most of which are located in Canada, the UAE, Turkey and Germany.
“These stolen credentials are not only limited to banking information, but also encompass those used to access corporate resources such as VPNs and internal websites,” Yaswant said. “This underscores the critical importance of protecting mobile devices, as they can serve as a primary entry point for cyberattacks on organizations.”
Another notable aspect is TrickMo’s broad purpose, collecting data from applications spanning multiple categories such as banking, enterprise, job and recruitment, e-commerce, commerce, social, streaming and entertainment, VPN, government, education , telecommunications and healthcare. .
This development comes amid the emergence of a new banking Trojan, ErrorFather Android, which uses a variant Cerberus carry out financial scams.
“The emergence of ErrorFather highlights the continuing dangers of malware repurposing, as cybercriminals continue to exploit leaked source code years after the original Cerberus malware was discovered,” said Broadcom-owned Symantec. said.
According to data from Zscaler ThreatLabz, financially motivated mobile attacks using banking malware increased by 29% between June 2023 and April 2024 compared to the previous year.
India was the top target for mobile attacks during this time, experiencing 28% of all attacks, followed by the US, Canada, South Africa, the Netherlands, Mexico, Brazil, Nigeria, Singapore and the Philippines.
