TrickMo Banking Trojan Can Now Capture Android PINs and Unlock Patterns

TrickMo Banking Trojan Can Now Capture Android PINs and Unlock Patterns

October 15, 2024 at 01:06PM

New variants of the TrickMo Android banking trojan now include features to steal unlock patterns or PINs, allowing attacks even when devices are locked. These versions also improve evasion tactics and target a wide range of applications. Mobile banking malware attacks have increased by 29% from June 2023 to April 2024, with India most affected.

### Meeting Takeaways – October 15, 2024

**Topic:** Mobile Security / Financial Fraud

1. **New Variant of TrickMo Malware:**
– Recent Android banking trojan TrickMo has introduced undocumented features that allow it to capture device unlock patterns or PINs.
– This advancement enables attackers to control devices even when they are locked.

2. **TrickMo Overview:**
– Originally identified in 2019, TrickMo is linked to the TrickBot cybercrime group.
– Capabilities include remote control of infected devices, stealing SMS-based OTPs, and implementing overlay screens to capture user credentials through Android’s accessibility services.

3. **Cleafy Report:**
– Updates disclosed by Cleafy indicate enhanced evasion techniques and permission acquisition to perform unauthorized transactions on devices infected by TrickMo.

4. **Deceptive User Interface:**
– New variants use a fake UI resembling the actual device’s unlock screen to harvest user PINs and patterns.
– Data entered by users is sent to a remote server controlled by attackers.

5. **Data Insights:**
– Inadequate security for the command and control (C2) servers has revealed stored data, including about 13,000 unique IP addresses primarily located in Canada, the U.A.E., Turkey, and Germany.

6. **Impact on Credentials:**
– Stolen credentials include banking and corporate access, emphasizing the need for strong mobile device security to prevent organizational cyberattacks.

7. **Broad Targeting Scope:**
– TrickMo targets a wide range of applications: banking, enterprise, e-commerce, social media, and more, indicating its versatility in attacking various sectors.

8. **Emerging Threats:**
– The new ErrorFather banking trojan is noted, utilizing a variant of Cerberus to facilitate financial fraud, showcasing ongoing threats from repurposed malware.

9. **Trends in Mobile Attacks:**
– From June 2023 to April 2024, mobile attacks involving banking malware have increased by 29%.
– India is the most targeted country, suffering 28% of attacks, followed by the U.S., Canada, and other nations.

**Conclusion:**
– The meeting highlighted the evolving landscape of mobile security threats and the crucial need for awareness and protection against sophisticated malware attacks targeting the financial sector.

Full Article