HQ/EMEAFind out how we can help your business
A new variant of the TrickMo malware has emerged in numerous operations in the cybercriminal landscape. Reports revealed that this Android banking malware is linked to 16 droppers and 22 unique C2 infrastructures, with new capabilities that can steal PINs.
This new malware strain has appeared in most affiliated entities, but not all are circulating in the digital environment. Researchers initially identified TrickMo almost four years ago, but they claim that threat actors have already used it as early as 2019.
The TrickMo malware can execute various stealing capabilities.
The new version of the TrickMo malware strain includes critical capabilities such as one-time password (OTP) interception, screen recording, data exfiltration, and remote control.
Moreover, the malware attempts to take advantage of the Accessibility Service permission to acquire further access and automatically tap on prompts as needed. The researchers explained that this banking trojan displays phishing login screens to numerous banks and financial institutes. This tactic enables its operators to steal account credentials and conduct unauthorised activities.
Further research also uncovered new variations of TrickMo, which use fake lock screens that impersonate the real Android unlock prompt. The developer of this strategy designed the fake lock screen to steal the user’s unlock pattern or PIN.
The bogus user interface is an HTML page hosted on an external website shown in full-screen mode on the device. The whole screen appearance makes the fake screen seemingly legitimate and could easily fool unknowing users.
Once the user enters their unlock pattern or PIN, the page sends the collected information and a unique device identification to a PHP script. Subsequently, attackers can steal the PIN to unlock the device when it is not actively attended to.
The latest tally of this campaign showed that it already compromised at least 13,000 users. Furthermore, the tally also showed that most infected users are from Canada, but there are also a significant number of affected Android smartphone owners in the UAE, Turkey, and Germany.
The primary vector for spreading the TrickMo malware is through phishing that contains APKs. Therefore, Android users, especially from the earlier-mentioned countries, should be wary of downloading files from unverified sources to avoid falling victim to this emerging threat.
