Mobile devices now generate 59% of internet traffic, making them a significant target for cybercriminals. The mobile threat landscape in Q2 2024 reveals an increase in sophisticated attacks targeting mobile devices. Zscaler ThreatLabz found that financially motivated mobile attacks have surged, with spyware incidents increasing by 111% and banking malware by 29%, many of which can bypass multi-factor authentication (MFA). India emerged as the top target, accounting for 28% of all attacks, followed by countries like the U.S., Canada, South Africa, the Netherlands, and others.
According to MobileCorp, 85% of phishing occurs outside of email, with new phishing sites appearing every 20 seconds. Attackers use multiple channels to hide their fraudulent sites, including using HTTPS certificates to appear legitimate and Punycode attacks to trick users.
Phishing and social engineering scams often exploit the trust users have in established brands like Google. As a major provider across various domains, including enterprise productivity apps, cloud services, mobile platforms, social media, and video streaming, the Google brand is used in scams to lend credibility and lure victims into a false sense of security. This tactic makes financially motivated attacks, such as those involving TrickMo, and ransomware attacks, especially potent and widespread.
The TrickMo Banking Trojan is an Android malware strain initially associated with the TrickBot cybercrime group. First identified in 2019, it primarily uses fake login screens to steal banking credentials from victims. Over time, TrickMo has evolved, incorporating advanced obfuscation and anti-analysis techniques to evade detection. Zimperium researchers identified 40 new variants, along with numerous droppers and command-and-control (C2) infrastructures.
Cleafy's investigation of TrickMo exposed misconfigurations in the C2 server, enabling access to 12 GB of sensitive exfiltrated data, including credentials and images. The C2 server also hosted HTML files for overlay attacks, displaying fake login pages mimicking banks and cryptocurrency platforms like Binance. TrickMo source code is openly accessible on platforms like GitHub and maybe traded on dark-web cybercrime forums.
In this section we will highlight how recent cyber attacks leveraging the TrickMo banking trojan work. This will included a description of how attackers gain initial access to execute code on the victim's Android device, as well as the capabilities of the TrickMo Android malware.
TrickMo gains initial access to victim's Android devices through a first stage "dropper" app that disguises itself as the Google Chrome web browser. Discovered by Cleafy, this malicious dropper prompts users to update Google Play Services by clicking a “Confirm” button. When the user agrees, an APK file containing the TrickMo payload is downloaded to the device, presented as "Google Services."
The user is then instructed to enable Android's Accessibility Services for the new app, granting TrickMo elevated permissions. These permissions allow the malware to intercept SMS messages, manipulate notifications to capture authentication codes, and execute HTML overlay attacks to steal user credentials. Additionally, TrickMo can disable essential security features, auto-grant permissions, block system updates, and prevent the uninstallation of specific apps, ensuring its persistence on the device.
This section lists TrickMo's advanced techniques, including anti-analysis mechanisms, screen overlay attacks, and the ability to manipulate device settings. We will also discuss how TrickMo's use of accessibility services allows it to intercept messages, siphon authentication codes, and carry out unauthorized actions without alerting the user.
Abuses Android's accessibility services to grant itself additional permissions to carry out unauthorized transactions
Uses full-screen HTML mode to impersonate Android's legitimate unlock screens to harvest the device's unlock pattern or PIN
Gathers data from various applications, including banking, enterprise, e-commerce, social media, telecom, and more
Emulates popular banking website UIs to steal user credentials
Records screen activity, logs keystrokes, and harvests photos, one-time passwords (OTPs) and SMS-based two-factor authentication (2FA)
Remotely controls the infected device to conduct on-device fraud (ODF)
Employs anti-analysis mechanisms to hinder efforts by cybersecurity professionals
Evolves its obfuscation with new code-hiding techniques
The TrickMo Banking Trojan represents a significant threat to Android users, particularly those who use their mobile devices for online banking, e-commerce, and financial transactions. Initially developed by the TrickBot group, TrickMo has undergone continuous evolution, now boasting sophisticated anti-analysis features that allow it to evade detection. By exploiting accessibility services, it can intercept SMS messages, siphon two-factor authentication codes, and remotely control infected devices to carry out unauthorized transactions.
TrickMo’s recent variants, discovered by Cleafy and Zimperium, demonstrate the malware's adaptability, including advanced obfuscation techniques and the ability to harvest credentials from multiple applications. Attackers use phishing and social engineering to distribute TrickMo through fake Chrome browser updates, further complicating detection. This ongoing evolution underscores the importance of robust mobile security measures, including regular updates, vigilance against phishing attempts, and the use of reliable security software to prevent unauthorized access and financial fraud.
Download our Guide to Penetration Testing to learn everything you need to know to successfully plan, scope and execute your penetration testing projects
February 04 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
December 25 - Blog
It's official: Packetlabs has been recognized as one of the top penetration testing companies in 2024 on review platform Clutch.
December 10 - Blog
Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.
© 2024 Packetlabs. All rights reserved.