Cybersecurity researchers have discovered a new variant of an Android banking trojan called TrickMo that comes with new capabilities to evade analysis and display fake login screens to obtain victims’ banking credentials.
“Mechanisms include using malformed ZIP files in conjunction with JSONPacker,” Cleafy security researchers Michele Raviello and Alessandro Stryna said. “In addition, the application is installed through a dropper program that uses the same anti-analysis mechanisms.”
“These features are designed to avoid detection and prevent cybersecurity professionals from analyzing and destroying malware.”
TrickMo, first caught in the wild by CERT-Bund in September 2019, has history targeting Android devices, specifically users in Germany, to scramble one-time passwords (OTPs) and other two-factor authentication (2FA) codes to facilitate financial fraud.
The mobile-targeting malware is believed to be the work of the now-defunct TrickBot cybercriminal gang, which has been constantly improving its obfuscation and anti-analysis features over time to stay under the radar.
Features include its ability to record screen actions, capture keystrokes, collect photos and SMS messages, remotely control an infected device to perform on-device fraud (ODF), and abuse the Android Accessibility Services API to perform HTML overlay attacks. how to perform clicks and gestures on the device.
The malicious dropper app, discovered by an Italian cyber security company, disguises itself as the Google Chrome web browser, which when launched after installation prompts the victim to update Google Play services by pressing a “Confirm” button.
When the user proceeds with the update, the APK file containing the TrickMo payload is downloaded to the device under the guise of “Google Services”, after which the user is prompted to enable accessibility services for the new app.
“Accessibility services are designed to help users with disabilities by providing alternative ways to interact with their devices,” the researchers said. “However, when using malware like TrickMo, these services can provide extensive device control.”
“This increased permission allows TrickMo to perform a variety of malicious activities, such as intercepting SMS messages, processing notifications to intercept or hide authentication codes, and performing HTML overlay attacks to steal user credentials. In addition, the malware can bypass key protection and automatically accept permissions, making it easy to integrate it into the device’s operation.”
In addition, abuse of accessibility services allows malware to disable critical security features and system updates, automatically grant permissions at will, and prevent certain programs from being uninstalled.
Cleafy’s analysis also found misconfigurations in the management server (C2) that allowed 12 GB of sensitive data stolen from the devices, including credentials and images, to be accessed without authentication.
The C2 server also hosts HTML files used in overlay attacks. These files cover fake login pages for various services, including banks such as ATB Mobile and Alpha Bank, and cryptocurrency platforms such as Binance.
Security breaches not only highlight operational security (OPSEC) failure on the part of threat actors, but also expose victims’ data to the risk of exploitation by other threat actors.
The wealth of information obtained from TrickMo’s C2 infrastructure can be used to commit identity theft, hack into various online accounts, conduct unauthorized fund transfers, and even make fraudulent purchases. Even worse, attackers can hijack accounts and lock out victims by resetting their passwords.
“Using personal information and images, an attacker can create persuasive messages that compel victims to divulge more information or take malicious actions,” the researchers noted.
“The use of such comprehensive personal data results in immediate financial and reputational damage and long-term consequences for victims, making recovery a complex and lengthy process.”
The disclosure comes as Google plugs security holes around sideloading to allow third-party developers to determine if their apps are side loaded with Play Integrity API and, if so, require users to download apps from Google Play to continue using them.
