TrickMo Malware Attacking Android Devices To Steal Unlock Patterns & PINs


TrickMo is a sophisticated malware that emerged as a “banking Trojan”, and this malware is designed to steal “financial credentials” and “personal information.”

Besides this, it has a history of targeting Android devices to facilitate financial fraud by stealing OTPs and 2FA codes.

SIEM as a Service

Cybersecurity researchers at Zimperium recently discovered that TrickMo malware has been actively attacking Android devices to steal unlock patterns and PINs.

Cleafy recently disclosed a new variant of the “TrickMo” Banking Trojan that features advanced evasion techniques like “zip file manipulation” and “obfuscation.”

Analyse Any Suspicious Files With ANY.RUN: Intergarte With You Security Team -> Try for Free

While researchers identified “40 recent variants,” “16 droppers,” and “22 active C2 servers. These variants offer a multitude of capabilities:-

  • One-Time Password (OTP) interception
  • Screen recording
  • Data exfiltration
  • Remote control
  • Automatic permission granting
  • Accessibility service abuse
  • Overlay-based credential theft
Deceptive overlays (Source – Zimperium)

Not only that, but researchers also detected a concerning new feature that enables some variants to steal devices, such as “unlock patterns” or “PINs,” through a deceptive UI.

This UI is an “HTML page” that is hosted externally and displayed in full-screen mode which mimics the device’s actual unlock screen.

Fake unlocking UI (Source – Zimperium)

When users input their credentials on this page, the page transmits the captured information (“Android ID”) to a “PHP” script.

This enables the threat actors to “link stolen credentials” to specific devices and potentially access them even when “locked.”

These “sophisticated capabilities” and the “malware’s ability” to evade detection pose security risks to the “financial security” and “personal data” of the users.

Researchers uncovered several “C2 servers” that are associated with a sophisticated “malware operation.”

These servers contained files listing approximately “13,000 unique victim IP addresses.”Geolocation of these IPs revealed the malware’s “primary targets”:-

  • Canada
  • United Arab Emirates
  • Turkey
  • Germany

The C2 servers continuously update their records as the malware exfiltrates “new credentials” which results in “millions of compromised records.”

This data encompasses not only “banking information” but also “credentials for corporate resources” like ‘Virtual Private Networks (VPNs)’ and ‘internal websites.’

The malware’s extensive control over infected devices and its ability to target a wide range of applications highlights the importance of robust “mobile device security, as mobile devices often serve as a primary entry point for cyberattacks on organizations.

Enforcing proactive protection and mitigation measures is crucial to preventing “data breaches” and “financial losses.”

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)



Source link