Cybersecurity researchers have identified a new variant of the Android banking trojan TrickMo, equipped with enhanced features for evading detection and capturing victims’ banking credentials through fake login screens.
According to Cleafy security researchers Michele Roviello and Alessandro Strino, TrickMo uses techniques like malformed ZIP files and JSONPacker, along with an anti-analysis dropper app, to avoid detection and complicate analysis by security professionals. Originally spotted in September 2019 by CERT-Bund, TrickMo has a history of targeting Android users in Germany to steal one-time passwords (OTPs) and other 2FA codes for financial fraud.
Linked to the defunct TrickBot cybercrime group, the trojan has evolved with advanced obfuscation tactics. Its capabilities include screen recording, keystroke logging, harvesting photos and SMS messages, and remotely controlling infected devices to execute on-device fraud (ODF). It also exploits Android’s accessibility services API to conduct HTML overlay attacks and perform clicks and gestures on the device.
The malware’s dropper app, disguised as the Google Chrome browser, prompts users to update Google Play Services by clicking a “Confirm” button, further facilitating the infection process.
If the user proceeds with the update prompt, an APK disguised as “Google Services” is downloaded, and the user is prompted to enable accessibility services for this new app.
While accessibility services are intended to aid users with disabilities by offering alternative ways to interact with their devices, malicious apps like TrickMo exploit these services to gain extensive control. This elevated access allows TrickMo to intercept SMS messages, manage notifications to capture or conceal authentication codes, and execute HTML overlay attacks to steal credentials. It can also bypass keyguards, automatically accept permissions, and deeply integrate into the device’s operations.
Moreover, TrickMo’s misuse of accessibility services enables it to disable key security features, block system updates, auto-grant permissions, and prevent the uninstallation of specific apps, making it highly persistent and difficult to remove.
Cleafy’s analysis revealed misconfigurations in TrickMo’s command-and-control (C2) server that exposed 12 GB of sensitive data, including credentials and photos, without requiring authentication. The C2 server also hosts HTML files used in overlay attacks, featuring fake login pages for various services, including banks like ATB Mobile and Alpha Bank, as well as cryptocurrency platforms such as Binance.
This security lapse not only underscores a significant operational security (OPSEC) error by the threat actors but also increases the risk of victims’ data being exploited by other cybercriminals. The exposed data could be used for identity theft, unauthorized account access, financial fraud, and even locking victims out of their accounts by resetting passwords.
Attackers can use the leaked personal information and images to craft convincing phishing messages, further tricking victims into disclosing more information or performing malicious actions. The misuse of such detailed personal data can lead to immediate financial losses, reputational damage, and long-term impacts, complicating the recovery process for victims.
This disclosure coincides with Google’s ongoing efforts to improve security around sideloading, enabling third-party developers to detect if their apps are sideloaded using the Play Integrity API, and encouraging users to download apps directly from Google Play to ensure security.