October 14, 2024 at 01:35PM
Forty new variants of the TrickMo Android banking trojan have emerged, designed to steal PINs and sensitive data through deceptive screens and various phishing tactics. Linked to 16 droppers and 22 command and control infrastructures, it has impacted at least 13,000 victims, primarily in Canada, UAE, Turkey, and Germany.
### Meeting Takeaways
**Overview of TrickMo Android Banking Trojan:**
– **New Variants:** 40 new TrickMo variants identified, connected to 16 droppers and 22 distinct command and control (C2) infrastructures.
– **Notable Features:** Designed to steal Android PINs, intercept OTPs, record screens, exfiltrate data, and enable remote control.
**Technical Insights:**
– **Fake Lock Screen:** A deceptive UI mimics the genuine Android unlock prompt to capture user’s PIN or unlock pattern.
– **Malware Functionality:** Utilizes Accessibility Service permissions to escalate privileges and automate taps on prompts.
**Victim Exposure:**
– **Data Compromise:** At least 13,000 victims impacted, predominantly in Canada, with other significant numbers in the UAE, Turkey, and Germany. Likely higher due to multiple C2 servers.
– **Data Volume:** Millions of compromised records indicate extensive data access by Threat Actors.
**Security Recommendations:**
– **Phishing Prevention:** Avoid downloading APKs from unfamiliar sources such as SMS or direct messages.
– **Activation of Google Play Protect:** Crucial for identifying and blocking known TrickMo variants.
**Final Notes:**
– Zimperium has opted to publicly share indicators of compromise via a GitHub repository after previously withheld information due to security concerns.
– TrickMo’s targeting expands beyond banking to various other app types and platforms, suggesting a broader threat landscape.