Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Mobile Threats. Show all posts

TrickMo Banking Trojan Unveils Advanced Threat Capabilities in Latest Variant

Malware Analyst at Zimperium, Aazim Yaswant, has released an in-depth report on the most recent TrickMo samples, highlighting worrisome new functionalities of this banking trojan. Initially reported by Cleafy in September, this new version of TrickMo employs various techniques to avoid detection and scrutiny, such as obfuscation and manipulating zip files. 

Yaswant’s team discovered 40 variants of TrickMo, consisting of 16 droppers and 22 active Command and Control (C2) servers, many of which remain hidden from the broader cybersecurity community.

Although TrickMo primarily focuses on stealing banking credentials, Yaswant's analysis has exposed more sophisticated abilities. "These features allow the malware to access virtually any data on the device," Yaswant stated. TrickMo is capable of intercepting OTPs, recording screens, remotely controlling the device, extracting data, and misusing accessibility services to gain permissions and perform actions without the user’s approval. Additionally, it can display misleading overlays designed to capture login credentials, enabling unauthorized financial transactions.

A particularly concerning discovery in Yaswant's findings is TrickMo’s ability to steal the device’s unlock pattern or PIN. This enables attackers to bypass security measures and access the device while it is locked. The malware achieves this by mimicking the legitimate unlock screen. “Once the user enters their unlock pattern or PIN, the page transmits the captured data, along with a unique device identifier,” Yaswant explained.

Zimperium’s researchers managed to gain entry to several C2 servers, identifying approximately 13,000 unique IP addresses linked to malware victims. The analysis revealed that TrickMo primarily targets regions such as Canada, the UAE, Turkey, and Germany. Yaswant’s investigation also uncovered millions of compromised records, with the stolen data including not only banking credentials but also access to corporate VPNs and internal websites, posing significant risks to organizations by potentially exposing them to larger-scale cyberattacks.

Mobile Banking Trojan Volume Doubles

 


There were nearly 200,000 new telecommunications and banking Trojans developed in 2022, an increase of 100% over the previous year and the biggest spike in mobile malware development seen in the previous six years, confirming the trend of mobile malware development being propelled forward in recent years. 

The information was provided by Kaspersky Lab's report entitled "Mobile Threats in 2022" which can be found here. During the year, the firm also reported that 1.6 million malware installers were detected as part of its telemetry as provided by telemetry. While malware creation surged ahead in 2020, there was a decline in threat activity (down from 3.5 million in 2021 and 5.7 million in 2020), despite the surge in attacks in 2021. 

Based on the report released today, cybercriminals are increasingly targeting mobile users. They are also investing a lot of time in creating updated malware to steal financial information, making these increased activities more likely. Similarly, it stated, over the last few years, cybercriminal activity has leveled off, with attack numbers staying steady after slackening in 2021. 

The truth is that cybercriminals continue to improve the functionality of malware as well as how it spreads. 

The banking Trojan is designed to steal mobile banking credentials and e-payment information, but it can quickly be repurposed to steal other kinds of information, including those related to identity theft and the spread of other malware. In the past few years, many malware strains have emerged that have become synonymous with the term "all-purpose malware strains", including popular strains like Emotet and TrickBot, for instance. 

There is a great risk that you might encounter a banking Trojan if you use a non-official app store, but Google Play has been repeatedly flooded with "downloaders of trojans such as Sharkbot, Anatsa/Teaban, Octo/Copper, and Xenomorph disguised as utilities." 

According to Kaspersky's report, unofficial apps pose the greatest risk. Sharkbot is an example of malware masquerading as a legitimate file manager that is malicious (and can evade Google's vetting process) until it has been installed. 

After that, it will begin to request permission to install other packages which will together perform malicious banking Trojan activities that can be considered malicious. In recent years, mobile banking Trojans have been one of the most prevalent and concerning mobile malware threats, used to implement attacks to steal data related to online banking and e-payment systems as well as bank credentials. This is the highest number of mobile banking Trojan installers detected by Kaspersky in the past six years. The number was double what Kaspersky detected in 2021 and represents a fifty percent increase from that year's figure. 

In light of this, cybercriminals are increasingly interested in stealing financial data from smartphone users, and this information is a target of their attacks. It is also clear that they seem to be investing heavily in updating their malware, which may result in severe losses for their targets in the long run. 

The Trojan banker malware is spread by cyber criminals through both official and unofficial app stores, through which they distribute their malware. Several banking Trojan families are still available on Google Play, including Sharkbot, Anatsa/Teaban, Octo/Copper, and Xenomorph, which are disguised as utilities but are downloaders for banking Trojans.  

In Sharkbot's case, they created a fake file manager in which they would distribute downloaders. A Trojan can request permission to be installed on the device of a user, thus putting the user's security at risk. Furthermore, these downloaders can request permission to be installed on the device so that it can operate on the user's device.