TrickMo Android Trojan: Bank Fraud with Accessibility Services Exploitation

September 15, 2024
1 min read



TLDR:

TrickMo, a new variant of an Android banking trojan, uses accessibility services to display fake login screens and steal banking credentials. The malware can record screen activity, log keystrokes, harvest photos and SMS messages, and carry out on-device fraud. TrickMo is installed through a dropper app that masquerades as Google Chrome and downloads the payload under the guise of “Google Services.” The malware abuses accessibility services to intercept SMS messages, handle notifications, and carry out HTML overlay attacks. The C2 server of TrickMo has misconfigurations that exposed sensitive data, making victims vulnerable to identity theft and financial fraud.

Article:

Cybersecurity researchers have identified a new variant of an Android banking trojan known as TrickMo that is designed to evade analysis and display fake login screens to steal banking credentials. The malware, first discovered by CERT-Bund in 2019, targets Android devices, particularly users in Germany, to facilitate financial fraud by siphoning one-time passwords (OTPs) and two-factor authentication (2FA) codes.

TrickMo is believed to be the work of the now-defunct TrickBot e-crime gang and has continually improved its obfuscation and anti-analysis features over time. The malware can record screen activity, log keystrokes, harvest photos and SMS messages, remotely control infected devices for on-device fraud (ODF), and abuse Android’s accessibility services API to conduct HTML overlay attacks and perform clicks and gestures on the device.

The malware is installed through a dropper app disguised as Google Chrome that prompts users to update Google Play Services. Once the user enables accessibility services for the new app, TrickMo gains extensive control over the device, allowing it to intercept SMS messages, handle notifications, and execute HTML overlay attacks to steal user credentials.

Additionally, TrickMo’s command-and-control (C2) server has misconfigurations that exposed 12 GB of sensitive data, including credentials and pictures, without requiring authentication. The C2 server hosts fake login pages for various services, exposing victims to the risk of identity theft, unauthorized fund transfers, fraudulent purchases, and account hijacking.

The disclosure of TrickMo comes as Google has been working on security measures to prevent sideloading and ensure apps are downloaded from Google Play. The exposure of sensitive data from TrickMo’s C2 infrastructure highlights the operational security blunders of threat actors and the risks posed to victims.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and