The TrickMo malware, a threat targeting Android devices, has upped its game by adding a new method for stealing unlock patterns and PINs. Discovered by security firm Zimperium, this banking trojan now includes a trick where it mimics the lock screen of the user’s phone, fooling them into giving up their unlock credentials. This latest version is part of 40 different variants identified, which are linked to at least 16 droppers and 22 unique command-and-control (C2) servers.
The Fake Unlock Screen Method
In a rather concerning development, TrickMo can now create an unlock screen that looks almost identical to the real one. Once the user types in their PIN or pattern, thinking it’s their actual lock screen, the malware captures that information and sends it off to the attackers. It even grabs the Android ID from the device, allowing hackers to tie the stolen credentials to specific users.
The malware, beyond this new feature, keeps doing what it’s always done—intercepting one-time passwords, taking over screens, and stealing sensitive data. The ability to nab unlock codes just makes it more dangerous, giving cybercriminals a clear path to control the device, even when it’s supposed to be locked.
A Broader Set of Targets
While TrickMo originally aimed at banking apps, it has expanded to go after a wider range of applications. Today, it doesn’t just steal login information for bank accounts but also targets services like social media, VPNs, and even corporate apps. This flexibility has made the malware much harder to pin down, as it can show up in a variety of contexts and attack vectors.
The malware exploits Android’s Accessibility Service to take more control over the phone than users might realize. This feature, intended to help users with disabilities, is now a common tool for malware developers to automate actions and grant themselves additional permissions.
Users Impacted Globally
Through their investigation, Zimperium’s team found that the TrickMo malware has already affected around 13,000 users. These victims are mostly located in countries like Germany, Canada, Turkey, and the UAE. However, Zimperium researchers believe this number might just be scratching the surface, as their analysis only covered a few of the C2 servers used by the malware. The stolen data is regularly uploaded to the C2 servers, including sensitive info like bank credentials and personal identifiers.
This malware continues to spread mainly via phishing. Users receive links to APK files through direct messages or SMS, which, once clicked, initiate the infection. To stay protected, Android users are advised to avoid downloading anything from unknown or suspicious sources.
Advanced Features Keep TrickMo Evolving
Originally exposed by IBM X-Force back in 2020, TrickMo’s ability to evolve has kept it alive in the wild since at least 2019. These latest versions have retained all their older tricks, like intercepting OTPs and exfiltrating private data. What sets the new variants apart is their ability to mimic lock screens to steal unlock codes—opening up even more possibilities for on-device fraud.
Because TrickMo can also record screens and automatically tap on prompts, it can interact with banking apps without the user noticing. By leveraging these abilities, the trojan facilitates fraudulent transactions, often while the victim is asleep or otherwise unaware of what’s happening.
TrickMo Timeline
September 2019: TrickMo is first identified in the wild by CERT-Bund, targeting Android devices primarily in Germany.
2020: IBM X-Force documents TrickMo, revealing its capabilities to intercept one-time passwords (OTPs) and bypass two-factor authentication (2FA)
Early 2024: TrickMo continues to evolve, incorporating advanced obfuscation techniques and anti-analysis mechanisms to evade detection
June 2024: Cleafy’s Threat Intelligence team observes a new variant of TrickMo with enhanced anti-analysis features, making classification more difficult
September 2024: Cleafy researchers uncover critical details about TrickMo’s command-and-control (C2) infrastructure. A massive data leak from TrickMo’s C2 server is discovered, exposing 12 GB of stolen data including passports, credit card details, and other personal documents.
October 2024: Zimperium identifies 40 new variants of TrickMo in the wild, linked to 16 droppers and 22 distinct C2 infrastructures.
Last Updated on November 7, 2024 2:33 pm CET
