TrickMo | |
Type of Malware | Infostealer |
Date of Initial Activity | 2020 |
Motivation | Data Theft |
Attack Vectors | Phishing |
Targeted Systems | Android |
Type of Information Stolen | Financial Information |
Overview
TrickMo is a sophisticated Android banking Trojan that has evolved significantly since its inception, representing a growing threat in the world of mobile cybercrime. Initially identified in 2019 by CERT-Bund, TrickMo was designed to target banking applications by bypassing two-factor authentication (2FA) mechanisms, such as one-time passwords (OTPs). Its main targets were financial institutions across Europe, with a focus on Germany. As part of the broader TrickBot ecosystem, TrickMo extended the group’s malicious activities into the mobile realm, using advanced techniques to steal banking credentials and conduct fraudulent transactions.
What sets TrickMo apart from other banking Trojans is its ability to adapt and evolve over time. It is equipped with advanced obfuscation methods that make it difficult for cybersecurity professionals to detect and analyze. In its most recent iteration, the malware has incorporated anti-analysis mechanisms such as malformed ZIP files and the use of JSONPacker, which complicate the process of reverse-engineering and hinder detection by automated tools. These innovations are a testament to the malware’s sophistication, as it continuously improves its tactics to evade cybersecurity defenses.
Targets
Individuals
How they operate
Delivery and Execution
TrickMo is commonly distributed through malicious apps that masquerade as legitimate applications. These apps can be distributed via third-party app stores or even downloaded from seemingly reputable sources, making the threat more difficult to detect. The initial execution often involves a dropper application, which, once installed, silently downloads and installs the TrickMo payload onto the victim’s device. The malware may leverage vulnerabilities in Android’s security model to bypass system defenses. After installation, the malware communicates with its command-and-control (C2) server, awaiting further instructions.
In some cases, TrickMo also exploits Android accessibility services, which are meant to assist users with disabilities, to gain control of the device. By requesting overly broad permissions, such as the ability to monitor screen activity or interact with user input, TrickMo can operate without triggering alarms from security software or system notifications.
Persistence and Privilege Escalation
Once TrickMo is installed, the malware focuses on ensuring that it persists on the device. It often modifies system files and settings to ensure that it remains active even after a device reboot. For example, TrickMo may insert itself into startup routines or set up a persistent background service that can restart the malware if it is ever terminated. This step is crucial for maintaining long-term control over the infected device.
To escalate its privileges, TrickMo may exploit Android’s built-in accessibility services. These services grant elevated permissions that are often overlooked by security measures. The malware can use these privileges to perform unauthorized actions, such as logging keystrokes, capturing screenshots, and accessing sensitive data, including One-Time Passwords (OTPs) for financial transactions. These privileges enable TrickMo to operate with near-complete control over the infected device, bypassing the usual restrictions placed on normal applications.
Data Collection and Exfiltration
The malware’s primary objective is often data collection. TrickMo harvests sensitive information from the infected device, including stored credentials, SMS messages, and login credentials for various online services. It may use keylogging techniques to capture passwords and other sensitive inputs as the victim interacts with their device. TrickMo also has the ability to monitor incoming and outgoing SMS messages, allowing it to intercept OTPs used for multi-factor authentication and other security purposes.
Once the data is collected, TrickMo communicates with its C2 server to exfiltrate the stolen information. This process typically involves encrypted communication, ensuring that the exfiltration is difficult to detect by network security tools. The malware uses various methods to evade detection, including employing obfuscation techniques to disguise its traffic and avoid triggering alarms. The exfiltrated data is often used for fraudulent financial transactions, identity theft, or sold on the black market.
Defense Evasion and Final Impact
TrickMo employs several advanced techniques to avoid detection and hinder analysis. The malware is often obfuscated using tools such as packers or encryptors, which make it harder for antivirus software to identify and neutralize the threat. Furthermore, TrickMo may delete or hide its files and artifacts to remove traces of its presence on the device, thus complicating incident response efforts.
The final impact of TrickMo on a victim can be significant. Beyond financial theft, where stolen credentials are used to perform unauthorized transactions, TrickMo can also lead to identity theft, unauthorized access to personal information, and further compromise of the victim’s digital life. For businesses, this malware poses a risk not only to individual employees but also to organizational data, as it can spread across corporate networks through infected devices, causing a broader security breach.
Conclusion
TrickMo malware represents a serious threat to Android device users, leveraging a combination of deceptive tactics, privilege escalation, and advanced persistence mechanisms to maintain control over infected devices. By understanding its technical operation, users and security professionals can better defend against this evolving threat. Regular updates to mobile devices, cautious behavior when downloading apps, and the use of advanced mobile security solutions can help mitigate the risks posed by TrickMo and similar malware.
MITRE Tactics and Techniques
Initial Access:
T1071.001: Application Layer Protocol: Web Protocols: TrickMo is distributed through a dropper app disguised as a legitimate application (such as Google Chrome). This dropper app installs the TrickMo malware, granting the attacker initial access to the device.
T1071.004: Application Layer Protocol: DNS: The malware may use DNS-based communication for exfiltrating data or interacting with its command-and-control (C2) server.
Execution:
T1203: Exploitation for Client Execution: TrickMo can exploit vulnerabilities in mobile applications to execute malicious payloads, including exploiting the Android accessibility services for enhanced permissions.
T1059.001: Command and Scripting Interpreter: PowerShell: Although not directly involving PowerShell, TrickMo utilizes scripting-based approaches for execution, such as through its dropper and unpacking methods (e.g., JSONPacker).
Persistence:
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder: TrickMo ensures persistence by embedding itself in the system’s startup processes or through modified settings that allow it to persist even after device reboot.
T1071.002: Application Layer Protocol: Web Shell: TrickMo may use a web shell interface to maintain control over the infected device, ensuring ongoing communication with the attacker’s infrastructure.
Privilege Escalation:
T1078: Valid Accounts: TrickMo abuses Android’s accessibility services to escalate privileges and gain elevated permissions, enabling it to perform sensitive operations such as intercepting OTPs, logging keystrokes, and manipulating device settings without user consent.
Defense Evasion:
T1027: Obfuscated Files or Information: TrickMo employs obfuscation techniques such as malformed ZIP files and packing methods (e.g., JSONPacker) to evade detection during analysis and complicate reverse engineering efforts.
T1070.004: Indicator Removal on Host: File Deletion: The malware may delete or hide its files to remove traces of infection and evade detection from antivirus programs and other security measures.
T1071.003: Application Layer Protocol: Web Shell: TrickMo’s communication with its C2 server could be encrypted or otherwise obfuscated to avoid detection by network monitoring systems.
Credential Dumping:
T1003: OS Credential Dumping: TrickMo targets and extracts login credentials (such as OTPs and PINs) to facilitate unauthorized transactions and further compromise the victim’s banking information.
Collection:
T1114.001: Email Collection: Local Email Collection: TrickMo can collect sensitive data from the infected device, such as SMS messages, stored credentials, and personal information, which could then be exfiltrated to the attacker’s C2 server.
T1056.001: Input Capture: Keylogging: TrickMo implements keylogging to capture sensitive data, such as login credentials and PINs, by recording the victim’s keystrokes.
Exfiltration:
T1041: Exfiltration Over Command and Control Channel: TrickMo exfiltrates sensitive data, including credentials, photos, and other personal information, back to its C2 server using encrypted or otherwise concealed communication channels.
Impact:
T1496: Resource Hijacking: TrickMo could be used to hijack system resources for malicious purposes, such as executing fraudulent transactions by controlling the infected device.
T1071.003: Application Layer Protocol: Web Shell: Exfiltrated data could potentially be shared with third-party malicious actors without authentication, increasing the impact on the victim.
