Cybersecurity researchers have uncovered a new variant of the Android banking trojan called TrickMo, which comes equipped with advanced capabilities to evade analysis and capture victims’ banking credentials. The malware is designed to target Android devices, particularly those in Germany, to steal one-time passwords (OTPs) and two-factor authentication (2FA) codes.
TrickMo’s features include screen recording, keystroke logging, photo and SMS message harvesting, remote device control for on-device fraud (ODF), and abuse of Android’s accessibility services API to perform HTML overlay attacks. The malware can also record screen activity, log keystrokes, and harvest photos and SMS messages.
The malicious dropper app, masquerading as the Google Chrome web browser, prompts victims to update Google Play Services, which downloads the TrickMo payload under the guise of “Google Services.” The user is then asked to enable accessibility services for the new app, granting the malware extensive control over the device.
TrickMo’s abuse of accessibility services allows it to intercept SMS messages, handle notifications, and execute HTML overlay attacks to steal user credentials. Additionally, the malware can disable security features, auto-grant permissions, and prevent the uninstallation of certain apps.
The analysis also uncovered misconfigurations in TrickMo’s command-and-control (C2) server, making it possible for unauthorized access to 12 GB worth of sensitive data exfiltrated from devices, including credentials and pictures. The C2 server hosts HTML files used in overlay attacks, featuring fake login pages for various services, including banks and cryptocurrency platforms.
The security lapse highlights the operational security (OPSEC) blunder on the part of the threat actors, putting victims’ data at risk of exploitation by other attackers. This sensitive information could be leveraged to commit identity theft, infiltrate online accounts, conduct unauthorized transactions, or make fraudulent purchases.
Source: https://thehackernews.com/2024/09/trickmo-android-trojan-exploits.html?m=1