A new strain of Android banking malware, TrickMo, has been uncovered by Cleafy’s Threat Intelligence team, raising significant concerns about user security. This sophisticated malware, a variant of TrickBot, employs advanced techniques to evade detection. Unlike traditional malware, TrickMo uses complex anti-analysis methods such as broken zip files, jsonpacker, and dropper apps disguised as legitimate applications like “Google Chrome.” Once installed, TrickMo leverages Android Accessibility Services to gain extensive control over the infected device, allowing it to capture one-time passwords, record screens, and log keystrokes.
TrickMo’s functionality extends beyond basic data theft. It automates various malicious actions using a Clicker configuration (clicker.json), targeting both system and utility applications. This includes intercepting SMS messages, retrieving photos, screen recording, and conducting HTML overlay attacks to steal credentials. The malware’s ability to manipulate the device’s default SMS app and perform automated clicks and gestures enhances its capability to compromise sensitive information effectively.
The malware communicates with a Command and Control (C2) server to exfiltrate stolen data, including credentials and personal photos. Unfortunately, the C2 server’s poor configuration led to a significant data leak, exposing 12 GB of victim information. This breach included sensitive data such as operation logs, HTML documents used for attacks, and CSV files with stolen usernames and passwords. The exposed data not only highlights the flaws in TrickMo’s infrastructure but also increases the risk of identity theft and targeted phishing attacks.
TrickMo was initially reported by CERT-Bund in 2019 and primarily targets banking applications within Europe, with a particular focus on German-language settings. The malware’s advanced evasion techniques and the exposure of critical data underscore the need for robust security measures. Organizations and individuals alike must enhance their cybersecurity defenses to mitigate the risks posed by such sophisticated threats and prevent similar breaches in the future.
Reference:
