The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further investigation into the matter. It has been found that this threat is more widespread than initially thought, with researchers identifying 40 variants, 16 droppers, and 22 active Command and Control servers associated with this malware.
These variants of the TrickMo Trojan utilize advanced techniques such as zip file manipulation and obfuscation to avoid detection by security systems. Despite the lack of Indicators of Compromise (IOC) release, the analysis conducted by experts reveals that many samples of this malware remain undetected by the broader cybersecurity community.
The TrickMo Trojan is a sophisticated threat that possesses various capabilities, including OTP interception, screen recording, data exfiltration, remote control, and overlay display. These features enable cybercriminals to access and steal sensitive information from compromised devices, posing a significant risk to users’ financial security and privacy.
One of the key tactics employed by this malware is presenting a deceptive user interface that mimics the device’s actual unlock screen. This deceptive overlay tricks users into entering their PIN or pattern, which is then captured and transmitted to a remote PHP script along with the device’s unique Android ID. The attacker can use the Android ID to associate the stolen credentials with a specific victim’s device, allowing them to unlock and control the device even when it is locked.
Further analysis of the compromised Command and Control servers reveals a significant number of unique IP addresses belonging to victims of the malware. These IP addresses were geolocated to identify the primary targets of the TrickMo Trojan, which include countries such as Canada, the United Arab Emirates, Turkey, and Germany. Although the newer Command and Control servers do not exhibit data leakage issues, an updated IP list file containing exfiltrated banking information and corporate resource credentials was discovered, highlighting the severity of the threat.
The vulnerability of mobile devices as entry points for cyberattacks is underscored by this discovery. The analysis conducted by Zimperium on extracted data from the TrickMo Trojan identified a wide range of targeted applications across various categories, illustrating the malware’s extensive reach and potential impact.
The TrickMo Trojan exhibits a wide range of malicious behaviors, including gaining unauthorized access, persisting on devices, evading defenses, stealing credentials, discovering system information, collecting sensitive data, and controlling devices through command-and-control channels. It employs a combination of techniques such as phishing, boot scripts, broadcast receivers, notification abuse, code downloading, obfuscation, keylogging, clipboard data extraction, OTP stealing, file and directory discovery, audio and screen capture, SMS manipulation, and data exfiltration over alternative protocols to achieve its malicious objectives.
Overall, the discovery of the TrickMo Banking Trojan variant by Cleafy and the subsequent investigation into its variants and capabilities reveal the ongoing threat posed by sophisticated malware to users’ financial security and privacy. Cybersecurity experts continue to monitor and analyze such threats to develop effective mitigation strategies and protect users from falling victim to these malicious activities.