Endpoint Security , Internet of Things Security

TrickMo Trojan Variants Target Device Unlock Codes

New Variants Steal PINs, Affect 13,000+ Users and Exploit Accessibility Features
TrickMo Trojan Variants Target Device Unlock Codes
Operators of the TrickMo Trojan want to trick victims into revealing their Android unlock code. (Image: Shutterstock)

An new variant of an Android banking Trojan called TrickMo is tricking victims into providing their phone unlock code, enabling hackers to sustain operations, warn cybersecurity researchers.

See Also: SASE: Recognizing the Challenges of Securing a Hybrid Workforce

Zymperium researchers identified 40 TrickMo variants that contain features including one-time password interception, credential theft and automated permission exploitation. The research builds on earlier analysis by Cleafy that covered some of the variants now circulating.

Cleafy in September warned operators behind the Trojan distributed through a dropper disguised as the Google Chrome browser. After installation, it displays a warning message prompting users to update Google Play. Should a user confirm the update, TrickMo malware installs as an app "deceptively named 'Google Services' and poses as a legitimate instance of Google Play Services," the company wrote.

"The malware can dismiss keyguards and auto-accept permissions, enabling it to integrate seamlessly into the device's operations. These capabilities allow TrickMo to conduct financial fraud, making it extremely difficult to detect and remove from the infected device," it said.

In addition to capabilities including one-time password interception, screen recording, data exfiltration and credential theft through fake displays, Zymperium found some TrickMo variants have the "dangerous new twist" of stealing the device's unlock pattern or PIN.

To grab the unlock code, the malware displays presents a deceptive HTML user interface that mimics the device's actual unlock screen. Because it's displayed in full-screen mode, it looks like a legitimate screen. "When the user enters their unlock pattern or PIN, the page transmits the captured PIN or pattern details, along with a unique device identifier (the Android ID) to a PHP script," Zymperium said.

By exploiting Android's accessibility services - an oft-exploited set of APIs intended to make mobile use easier for users with disabilities but also a favorite hacker pathway for obtaining extended permissions - it can perform various malicious actions, such as unauthorized transactions and gaining remote control over infected devices.

Zymperium analysis shows that at least 13,000 individuals are affected by Trickmo, primarily in Canada, with victims also found in the United Arab Emirates, Turkey and Germany. The company says it gained access to the Trojan's command and control servers.

TrickMo's extensive targeting includes gathering data from a wide range of applications. These span various categories, such as banking, enterprise, job recruitment, e-commerce, trading, social media, streaming and entertainment, VPN, government, education, telecom, and healthcare.


About the Author

Anviksha More

Anviksha More

Senior Subeditor, ISMG Global News Desk

More has seven years of experience in journalism, writing and editing. She previously worked with Janes Defense and the Bangalore Mirror.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.