New variants of an Android banking trojan called TrickMo have been found to harbor previously undocumented features to steal a device’s unlock pattern or PIN.
“This new addition enables the threat actor to operate on the device even while it is locked,” Zimperium security researcher Aazim Yaswant said in an analysis published last week.
First spotted in the wild in 2019, TrickMo is so named for its associations with the TrickBot cybercrime group and is capable of granting remote control over infected devices, as well as stealing SMS-based one-time passwords (OTPs) and displaying overlay screens to capture credentials by abusing Android’s accessibility services.
Last month, Italian cybersecurity company Cleafy disclosed updated versions of the mobile malware with improved mechanisms to evade analysis and grant itself additional permissions to perform various malicious actions on the device, including carrying out unauthorized transactions.
Some of the new variants of the malware have also been equipped to harvest the device’s unlock pattern or PIN by presenting to the victim a deceptive User Interface (UI) that mimics the device’s actual unlock screen.
The UI is an HTML page that’s hosted on an external website and displayed in full-screen mode, thus giving the impression that it’s a legitimate unlock screen.
Should unsuspecting users enter their unlock pattern or PIN, the information, alongside a unique device identifier, is transmitted to an attacker-controlled server (“android.ipgeo[.]at“) in the form of an HTTP POST request.
Zimperium said the lack of adequate security protections for the C2 servers made it possible to gain insight into the kinds of data stored in them. This includes files with approximately 13,000 unique IP addresses, most of which are geolocated to Canada, the U.A.E., Turkey, and Germany.
“These stolen credentials are not only limited to banking information but also encompass those used to access corporate resources such as VPNs and internal websites,” Yaswant said. “This underscores the critical importance of protecting mobile devices, as they can serve as a primary entry point for cyberattacks on organizations.”
Another notable aspect is the broad targeting of TrickMo, gathering data from applications spanning multiple categories such as banking, enterprise, job and recruitment, e-commerce, trading, social media, streaming and entertainment, VPN, government, education, telecom, and healthcare.
The development comes amid the emergence of a new ErrorFather Android banking trojan campaign that employs a variant of Cerberus to conduct financial fraud.
“The emergence of ErrorFather highlights the persistent danger of repurposed malware, as cybercriminals continue to exploit leaked source code years after the original Cerberus malware was discovered,” Broadcom-owned Symantec said.
According to data from Zscaler ThreatLabz, financially motivated mobile attacks involving banking malware have witnessed a 29% jump during the period June 2023 to April 2024, when compared to the previous year.
India came out as the top target for mobile attacks during the time frame, experiencing 28% of all attacks, followed by the U.S., Canada, South Africa, the Netherlands, Mexico, Brazil, Nigeria, Singapore, and the Philippines.