TrickMo Android Trojan Used For On-Device Banking Fraud
Cybersecurity researchers have recently discovered a new threat pertaining to Android devices dubbed the TrickMo Android trojan. As per recent reports, the trojan comes equipped with new capabilities helping it display malicious login screens that capture banking credentials and evade analysis.
In this article, we’ll dive into the details of the trojan app and uncover the attack mechanism. Let’s begin!
TrickMo Android Trojan: Initial Discovery
The TrickMo Android trojan was first discovered in the wild by CERT-Bund in September 2019. Since then, it has been identified that the Android banking trojan is keen on targeting Android devices belonging to users in Germany. One of the key objectives of the Android banking trojan is to acquire one-time passwords (OPTs) and two-factor authentication codes, allowing it to commit financial fraud.
It’s worth mentioning that the trojan has experienced feature improvements for evading analysis. Such features also help it operate under the radar and continue to target victims. Some of the features that have been improved since its inception are centered around attack capabilities that include:
- Logging keystrokes.
- Recording screen activity.
- Harvesting photos and SMS messages.
- Performing clicks and gestures on the compromised device.
- Abusing Android’s accessibility services API for HTML overlay attacks.
- Remotely controlling the infected device to conduct on-device fraud (ODF).
Android Banking Trojan Attack Techniques
It has been identified that the malicious app used during the attack masks itself as the Google Chrome web browser. When the bogus app is launched after installation, it urges users to update Google Play services by clicking on a confirm button.
If the user chooses to move forward with the update, the TrickMo Android trojan payload, masked as “Google Services,” is downloaded on the device. From here onwards, victims are asked to enable accessibility services for this app.
Providing further details pertaining to the attack, cybersecurity experts have stated that:
“Accessibility services are designed to assist users with disabilities by providing alternative ways to interact with their devices. However, when exploited by malicious apps like TrickMo, these services can grant extensive control over the device.”
Once the permissions are granted, the TrickMo Android trojan can then perform various malicious activities mentioned above. In addition, these permissions also facilitate the Android banking trojan in critical security features and system updates.
As for the details of the malicious activities that the TrickMo Android trojan is capable of performing, experts have said that:
“This elevated permission allows TrickMo to perform various malicious actions, such as intercepting SMS messages, handling notifications to intercept or hide authentication codes, and executing HTML overlay attacks to steal user credentials. Additionally, the malware can dismiss keyguards and auto-accept permissions, enabling it to integrate seamlessly into the device’s operations.”
In addition, media reports have cited a Google spokesperson stating the organization has not found any evidence of the malware being distributed via the Play Store. The spokesperson has also mentioned that users are protected against known threats by Google Play Protect.
Conclusion
The TrickMo Android trojan showcases a dangerous evolution in on-device banking fraud, leveraging accessibility services to capture credentials and bypass security measures. Users must remain vigilant when installing apps outside the Play Store and ensure that accessibility permissions are not granted to suspicious applications.
The sources for this piece include articles in The Hacker News and Cyber Insider.