Endpoint Security , Internet of Things Security
TrickMo Trojan Variants Target Device Unlock Codes
New Variants Steal PINs, Affect 13,000+ Users and Exploit Accessibility FeaturesAn new variant of an Android banking Trojan called TrickMo is tricking victims into providing their phone unlock code, enabling hackers to sustain operations, warn cybersecurity researchers.
See Also: Frost Radar™ on Healthcare IoT Security in the United States
Zymperium researchers identified 40 TrickMo variants that contain features including one-time password interception, credential theft and automated permission exploitation. The research builds on earlier analysis by Cleafy that covered some of the variants now circulating.
Cleafy in September warned operators behind the Trojan distributed through a dropper disguised as the Google Chrome browser. After installation, it displays a warning message prompting users to update Google Play. Should a user confirm the update, TrickMo malware installs as an app "deceptively named 'Google Services' and poses as a legitimate instance of Google Play Services," the company wrote.
"The malware can dismiss keyguards and auto-accept permissions, enabling it to integrate seamlessly into the device's operations. These capabilities allow TrickMo to conduct financial fraud, making it extremely difficult to detect and remove from the infected device," it said.
In addition to capabilities including one-time password interception, screen recording, data exfiltration and credential theft through fake displays, Zymperium found some TrickMo variants have the "dangerous new twist" of stealing the device's unlock pattern or PIN.
To grab the unlock code, the malware displays presents a deceptive HTML user interface that mimics the device's actual unlock screen. Because it's displayed in full-screen mode, it looks like a legitimate screen. "When the user enters their unlock pattern or PIN, the page transmits the captured PIN or pattern details, along with a unique device identifier (the Android ID) to a PHP script," Zymperium said.
By exploiting Android's accessibility services - an oft-exploited set of APIs intended to make mobile use easier for users with disabilities but also a favorite hacker pathway for obtaining extended permissions - it can perform various malicious actions, such as unauthorized transactions and gaining remote control over infected devices.
Zymperium analysis shows that at least 13,000 individuals are affected by Trickmo, primarily in Canada, with victims also found in the United Arab Emirates, Turkey and Germany. The company says it gained access to the Trojan's command and control servers.
TrickMo's extensive targeting includes gathering data from a wide range of applications. These span various categories, such as banking, enterprise, job recruitment, e-commerce, trading, social media, streaming and entertainment, VPN, government, education, telecom, and healthcare.