A perilous new variant of the Android banking malware TrickMo has been discovered, capable of mimicking the Android lock screen and stealing users' PINs. This comes according to the data compiled by the security firm Zimperium, who made a deep analysis of the malware. The firm said that some 40 new variants of TrickMo have been found in the wild. These are associated with 16 dropper applications and 22 different command and control (C2) servers.
The new report follows earlier research by Cleafy, which had already managed to detect some of these, but not all, variants. TrickMo had been observed used in cyberattacks since September 2019, although it wasn't documented until last year by the IBM X-Force group.
How TrickMo Works to Deceive
One such feature in this new version of TrickMo is the fake Android lock screen designed to further dupe the users into handing over their PIN or unlock pattern. The screen seems like a real one. It actually renders in full-screen mode to mimic the prompt from an original Android. Once the user inputs his credentials, malware will capture that and transmit over to a remote server along with its unique identifier. This will provide thieves with access to the device later, often when it is not actively monitored, allowing them to go on and carry out whatever fraudulent activities they want.
In addition, TrickMo has other malicious abilities-the intercepting of one-time passwords, screen recording, exfiltration of data, and even the remote control of the infected device. Thus, TrickMo is another banking trojan, which mainly operates relying on the stealing of login credentials with the presentation of phishing pages of various banks.
The New Generation of Adaptation Malware
New variants of TrickMo malware attempt to exploit the Accessibility Service permission in Android. As a result, the malware would be able to grab greater control over the device and the possibility of automating different actions without even letting the actual user know about such actions. This is an abuse of accessibility features that grants the malware easier ways for interacting with system prompts, such as giving itself further permissions or making phishing pages appear.
Cyber security experts consider the mature and dynamic capabilities to make TrickMo a most dangerous threat. The phishing screens will be more likely to capture the users, and once the credentials are captured, then hackers can carry out unauthorised transactions using their banking apps or log in to other sensitive accounts.
Large-scale Impact on Victims
Zimperium's research showed that at least 13,000 victims from several countries, such as Canada, United Arab Emirates, Turkey, and Germany, have been affected by the TrickMo malware. The real number of attached devices, however, may be much higher as the malware operates through multiple C2 servers.
It targeted most of the banking applications but has since grown to target many more applications such as VPN services, streaming services, online e-commerce websites, and even social media and enterprise-based platforms. More alarming, it threatens because it can compromise user accounts associated with different kinds of services, not just financial services.
Staying Safe from TrickMo
This spreads through misleading the users into downloading the malicious APK files from unknown sources. To avoid infection, users are not encouraged to click on any links whatsoever-those coming through SMS or direct messages from unknown contacts in particular. Enablement of Google Play Protect is likely to prevent known variants of TrickMo from being installed on Android devices.
The sophistication level of malware like TrickMo tends to keep reminding everyone of the importance of maintaining their software up to date and not to interact with any unfamiliar apps or websites. As it continues to morph into even dangerous forms, cybersecurity experts have kept alerting Android users to be on high alert and ensure that such security features like Google Play Protect are turned on in order to provide a first line of defence against such threats.
Zimperium has taken the noble step in releasing TrickMo's C2 infrastructure details on GitHub, thus being in a better position to help cybersecurity experts and organisations ward off the trojan. It is important to note that while saying so, users are advised to be vigilant and take proper measures to ensure their sensitive information will not be compromised by malicious software such as TrickMo.
