Forty new variants of the TrickMo Android banking trojan have been recognized within the wild, linked to 16 droppers and 22 distinct command and management (C2) infrastructures, with new options designed to steal Android PINs.
That is being reported by Zimperium, following an earlier report by Cleafy that regarded into some, however not all variants at the moment in circulation.
TrickMo was first documented by IBM X-Pressure in 2020, however it’s thought to have been utilized in assaults in opposition to Android customers since at the very least September 2019.
Faux lock display screen steals Android PINs
Key options of the brand new TrickMo model embody one-time password (OTP) interception, display screen recording, information exfiltration, distant management, and extra.
The malware makes an attempt to abuse the highly effective Accessibility Service permission to grant itself further permissions and faucet on prompts mechanically as wanted.
As a banking trojan, it serves customers overlays of phishing login screens to numerous banks and monetary institutes to steal their account credentials and allow the attackers to carry out unauthorized transactions.
Zimperium analysts dissecting these new variants additionally report a brand new misleading unlock display screen mimicking the true Android unlock immediate, designed to steal the person’s unlock sample or PIN.
“The deceptive User Interface is an HTML page hosted on an external website and is displayed in full-screen mode on the device, making it look like a legitimate screen,” explains Zimperium.
“When the user enters their unlock pattern or PIN, the page transmits the captured PIN or pattern details, along with a unique device identifier (the Android ID) to a PHP script.”
Stealing the PIN permits the attackers to unlock the system when it isn’t actively monitored, presumably in late hours, to carry out on-device fraud.
Uncovered victims
Because of improperly secured C2 infrastructure, Zimperium was additionally capable of decide that at the very least 13,000 victims, most situated in Canada and vital numbers additionally discovered within the United Arab Emirates, Turkey, and Germany, are impacted by this malware.
This quantity corresponds to “several C2 servers,” in keeping with Zimperium, so the whole variety of TrickMo victims is probably going larger.
“Our analysis revealed that the IP list file is regularly updated whenever the malware successfully exfiltrates credentials,” explains Zimperium.
“We discovered millions of records within these files, indicating the extensive number of compromised devices and the substantial amount of sensitive data accessed by the Threat Actor.”
Cleafy beforehand withheld indicators of compromise from the general public because of the misconfigured C2 infrastructure that would expose sufferer information to the broader cybercrime neighborhood. Zimperium has now opted to put up every part on this GitHub repository.
Nonetheless, TrickMo’s concentrating on scope seems broad sufficient to embody app sorts (and accounts) past banking, together with VPN, streaming platforms, e-commerce platforms, buying and selling, social media, recruitment, and enterprise platforms.
Cleafy beforehand withheld indicators of compromise from the general public because of the misconfigured C2 infrastructure that would expose sufferer information to the broader cybercrime neighborhood, however Zimperium now opted to put up every part on this GitHub repository.
TrickMo is at the moment spreading by phishing, so to attenuate the probability of an infection, keep away from downloading APKs from URLs despatched through SMS or direct messages by individuals you do not know.
Google Play Shield identifies and blocks recognized variants of TrickMo, so making certain it is lively on the system is essential in defending in opposition to the malware.