Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label TrickMo. Show all posts

New TrickMo Variants Exploit Fake Lock Screens to Steal Android PINs

 



A perilous new variant of the Android banking malware TrickMo has been discovered, capable of mimicking the Android lock screen and stealing users' PINs. This comes according to the data compiled by the security firm Zimperium, who made a deep analysis of the malware. The firm said that some 40 new variants of TrickMo have been found in the wild. These are associated with 16 dropper applications and 22 different command and control (C2) servers.

The new report follows earlier research by Cleafy, which had already managed to detect some of these, but not all, variants. TrickMo had been observed used in cyberattacks since September 2019, although it wasn't documented until last year by the IBM X-Force group.


How TrickMo Works to Deceive

One such feature in this new version of TrickMo is the fake Android lock screen designed to further dupe the users into handing over their PIN or unlock pattern. The screen seems like a real one. It actually renders in full-screen mode to mimic the prompt from an original Android. Once the user inputs his credentials, malware will capture that and transmit over to a remote server along with its unique identifier. This will provide thieves with access to the device later, often when it is not actively monitored, allowing them to go on and carry out whatever fraudulent activities they want.

In addition, TrickMo has other malicious abilities-the intercepting of one-time passwords, screen recording, exfiltration of data, and even the remote control of the infected device. Thus, TrickMo is another banking trojan, which mainly operates relying on the stealing of login credentials with the presentation of phishing pages of various banks.


The New Generation of Adaptation Malware

New variants of TrickMo malware attempt to exploit the Accessibility Service permission in Android. As a result, the malware would be able to grab greater control over the device and the possibility of automating different actions without even letting the actual user know about such actions. This is an abuse of accessibility features that grants the malware easier ways for interacting with system prompts, such as giving itself further permissions or making phishing pages appear.

Cyber security experts consider the mature and dynamic capabilities to make TrickMo a most dangerous threat. The phishing screens will be more likely to capture the users, and once the credentials are captured, then hackers can carry out unauthorised transactions using their banking apps or log in to other sensitive accounts.


Large-scale Impact on Victims

Zimperium's research showed that at least 13,000 victims from several countries, such as Canada, United Arab Emirates, Turkey, and Germany, have been affected by the TrickMo malware. The real number of attached devices, however, may be much higher as the malware operates through multiple C2 servers.

It targeted most of the banking applications but has since grown to target many more applications such as VPN services, streaming services, online e-commerce websites, and even social media and enterprise-based platforms. More alarming, it threatens because it can compromise user accounts associated with different kinds of services, not just financial services.


Staying Safe from TrickMo

This spreads through misleading the users into downloading the malicious APK files from unknown sources. To avoid infection, users are not encouraged to click on any links whatsoever-those coming through SMS or direct messages from unknown contacts in particular. Enablement of Google Play Protect is likely to prevent known variants of TrickMo from being installed on Android devices.

The sophistication level of malware like TrickMo tends to keep reminding everyone of the importance of maintaining their software up to date and not to interact with any unfamiliar apps or websites. As it continues to morph into even dangerous forms, cybersecurity experts have kept alerting Android users to be on high alert and ensure that such security features like Google Play Protect are turned on in order to provide a first line of defence against such threats.

Zimperium has taken the noble step in releasing TrickMo's C2 infrastructure details on GitHub, thus being in a better position to help cybersecurity experts and organisations ward off the trojan. It is important to note that while saying so, users are advised to be vigilant and take proper measures to ensure their sensitive information will not be compromised by malicious software such as TrickMo.


TrickMo Banking Trojan Unveils Advanced Threat Capabilities in Latest Variant

Malware Analyst at Zimperium, Aazim Yaswant, has released an in-depth report on the most recent TrickMo samples, highlighting worrisome new functionalities of this banking trojan. Initially reported by Cleafy in September, this new version of TrickMo employs various techniques to avoid detection and scrutiny, such as obfuscation and manipulating zip files. 

Yaswant’s team discovered 40 variants of TrickMo, consisting of 16 droppers and 22 active Command and Control (C2) servers, many of which remain hidden from the broader cybersecurity community.

Although TrickMo primarily focuses on stealing banking credentials, Yaswant's analysis has exposed more sophisticated abilities. "These features allow the malware to access virtually any data on the device," Yaswant stated. TrickMo is capable of intercepting OTPs, recording screens, remotely controlling the device, extracting data, and misusing accessibility services to gain permissions and perform actions without the user’s approval. Additionally, it can display misleading overlays designed to capture login credentials, enabling unauthorized financial transactions.

A particularly concerning discovery in Yaswant's findings is TrickMo’s ability to steal the device’s unlock pattern or PIN. This enables attackers to bypass security measures and access the device while it is locked. The malware achieves this by mimicking the legitimate unlock screen. “Once the user enters their unlock pattern or PIN, the page transmits the captured data, along with a unique device identifier,” Yaswant explained.

Zimperium’s researchers managed to gain entry to several C2 servers, identifying approximately 13,000 unique IP addresses linked to malware victims. The analysis revealed that TrickMo primarily targets regions such as Canada, the UAE, Turkey, and Germany. Yaswant’s investigation also uncovered millions of compromised records, with the stolen data including not only banking credentials but also access to corporate VPNs and internal websites, posing significant risks to organizations by potentially exposing them to larger-scale cyberattacks.