TrickMo Android Trojan: Bank Fraud with Accessibility Services Exploitation.

TLDR:

TrickMo, a new variant of an Android banking trojan, uses accessibility services to display fake login screens and steal banking credentials. The malware can record screen activity, log keystrokes, harvest photos and SMS messages, and carry out on-device fraud. TrickMo is installed through a dropper app that masquerades as Google Chrome and downloads the payload under the guise of “Google Services.” The malware abuses accessibility services to intercept SMS messages, handle notifications, and carry out HTML overlay attacks. The C2 server of TrickMo has misconfigurations that exposed sensitive data, making victims vulnerable to identity theft and financial fraud.

Article:

Cybersecurity researchers have identified a new variant of an Android banking trojan known as TrickMo that is designed to evade analysis and display fake login screens to steal banking credentials. The malware, first discovered by CERT-Bund in 2019, targets Android devices, particularly users in Germany, to facilitate financial fraud by siphoning one-time passwords (OTPs) and two-factor authentication (2FA) codes.

TrickMo is believed to be the work of the now-defunct TrickBot e-crime gang and has continually improved its obfuscation and anti-analysis features over time. The malware can record screen activity, log keystrokes, harvest photos and SMS messages, remotely control infected devices for on-device fraud (ODF), and abuse Android’s accessibility services API to conduct HTML overlay attacks and perform clicks and gestures on the device.

The malware is installed through a dropper app disguised as Google Chrome that prompts users to update Google Play Services. Once the user enables accessibility services for the new app, TrickMo gains extensive control over the device, allowing it to intercept SMS messages, handle notifications, and execute HTML overlay attacks to steal user credentials.

Additionally, TrickMo’s command-and-control (C2) server has misconfigurations that exposed 12 GB of sensitive data, including credentials and pictures, without requiring authentication. The C2 server hosts fake login pages for various services, exposing victims to the risk of identity theft, unauthorized fund transfers, fraudulent purchases, and account hijacking.

The disclosure of TrickMo comes as Google has been working on security measures to prevent sideloading and ensure apps are downloaded from Google Play. The exposure of sensitive data from TrickMo’s C2 infrastructure highlights the operational security blunders of threat actors and the risks posed to victims.

Post Views: 20

Latest from Blog

Top 20 Linux Admin Tools for 2024

TLDR: Top Linux Admin Tools in 2024 Key points: Linux admin tools streamline system configurations, performance monitoring, and security management. Popular Linux admin tools include Webmin, Puppet, Zabbix, Nagios, and Ansible. Summary

Evergy chooses OneLayer Bridge for private LTE network management and security

TLDR: Evergy has selected OneLayer Bridge for private LTE network management and security in a multi-year deal. The platform will help manage and secure thousands of devices on Evergy’s private LTE network,

Bogus job tempts aerospace, energy workers

TLDR: A North Korean cyberespionage group is posing as job recruiters to target employees in aerospace and energy sectors. Mandiant reports that the group uses fake job descriptions stored in malicious archives

Picus Security Secures $45M for Enhanced Exposure Management Solutions

TLDR: Picus Security has received a $45M investment from Riverwood Capital to enhance its exposure management platform. The investment will help Picus expand its capabilities in attack surface management, automated penetration testing,

Secure solar power with effective cybersecurity for renewable energy success

TLDR: Solar energy systems are vulnerable to outside attacks through inverters, microgrids, and DoS attacks. Cybersecurity professionals can protect solar energy by teaching security, updating software, and setting up a strong firewall.

Health sector cyberattacks Critics slam federal response as weak and disjointed

TLDR: Health care is the most frequent target for ransomware attacks. Federal response to cyberattacks in the health industry is criticized as feeble and fractured. Health care industry faced numerous cyberattacks, including

Beware: UNC2970 Hackers Weapons in Job Seekers’ PDFs

TLDR: UNC2970 hackers are targeting job seekers with weaponized PDF files. They use sophisticated phishing tactics to deliver malware to victims. In a recent report, cybersecurity analysts at Google Mandiant have identified

Cyber insurance changes shape of security for good and bad

TLDR: Key Points: Cyber-insurance landscape is shifting to encourage greater cyber resiliency Rising costs of cyberattacks are prompting insurers to re-examine underwriting How Cyber-Insurance Shifts Affect the Security Landscape The article discusses

CMS warns nearly 1 million Medicare members of 2023 MOVEit breach

TLDR: 946,801 Medicare beneficiaries notified of May 2023 MOVEit breach Protected health and personal information compromised In September 2024, the Centers for Medicare & Medicaid Services (CMS) disclosed that nearly a million

BMW i invests in cybersecurity firm safeguarding software seamlessly

TLDR: BMW i Ventures invests $12 million in cybersecurity firm RunSafe Security RunSafe Security specializes in protecting software from cyberattacks without disruption Key Points: BMW i Ventures recently announced a $12 million

Suggestions

TrickMo Android Trojan: Bank Fraud with Accessibility Services Exploitation

TLDR:

Article:

Latest from Blog