Banking malware is a type of malicious software that targets financial institutions and their customers.
There is a rise in Android banking malware, which exploits vulnerabilities in the Android operating system to steal sensitive user information.
Cleafy’s Threat Intelligence team recently discovered a new Android banking malware dubbed “TrickMo,” which was found to be actively attacking users to steal login credentials.
Android Banking Malware TrickMo
TrickMo is a new variant of Android banking malware that is derived from its predecessor, TrickBot.
Instead of the traditional encoders, it uses sophisticated anti-analysis techniques like broken zip files, jsonpacker, and dropper apps, among other technologies, to avoid being detected.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
Distribution of this malware is done by use of a dropper which is disguised as “Google Chrome,” and uses the Android Accessibility Services to approve admin controls.
.webp)
After installation, the TrickMo malware is able to capture one-time passwords for online banking services, record the screens, log keystrokes, and leverage remote access of the infected devices.
It engages in the exchange of data with the C2 server using the post method and sending device info as JSON to the /c endpoint and receiving commands, reads the Cleanfly report.
TrickMo utilizes a Clicker configuration (clicker.json) to automate actions via the Accessibility Service, targeting both system and utility applications.
Its capabilities include SMS interception, photo retrieval, screen recording, remote access, and HTML overlay attacks for credential theft.
The malware can change the default SMS app, retrieve installed app lists, and perform clicks and gestures on the device.
TrickMo’s C2 server is found to hold data that has been exfiltrated, including logs, credentials, and photos, but lacks any authentication, as exposing the victims to multiple threat actors.
TrickMo was first discovered and reported by CERT-Bund in 2019. They mostly target Banking applications within Europe considering majorly the German language as seen in the specific language settings in its Clicker.json file.
Analysis of the cloud strife installer’s package name (dreammes.ross431.in) or how it is unpacked (com.turkey.inner.Uactortrust) highlights very advanced methods of its that are employed in hiding as well as protecting the malware.
The hack happened due to the Command and Control (C2) server was poorly configured which led to the leakage of 12 GB of victim data.
.webp)
Some of the C2 server critical endpoints exposed the IP addresses of compromised devices, operation logs, and HTML documents used to overlay for attacks on Banking and Crypto Currency Platforms.
It also included CSV files containing stolen usernames and passwords as well as ZIP files that comprised images taken from hacked devices.
This leak, in particular, not only exposes a tactical error of the creators of TrickMo’s infrastructure but also increases the likelihood of this leakage being exploited further.
Threat actors can use this information to log on to someone’s account, commit identity theft, and execute highly targeted phishing attacks.
The information that is released includes both the attack surface and possible sources of physical attack, suggesting that there should be comprehensive measures must be taken towards enhancement of data security systems in order to prevent such occurrences in the future.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar