mobile phones, 15.10.2024, 10:30 AM
Company security researchers Cimperium discovered as many as 40 new variants of the TrickMo Android banking trojan, linked to 16 droppers and 22 different command and control (C2) infrastructures, with new features designed to steal Android PINs.
TrickMo was first spotted in 2020, but it is believed to have been used in attacks against Android users since at least September 2019.
New versions of the TrickMo malware can intercept one-time passwords (OTPs), record screens, exfiltrate data, allow attackers remote control and more. The Trojan can abuse the powerful permission of the Accessibility Service to grant itself additional permissions and automatically grant requests as needed.
Since it is a banking trojan, it allows cybercriminals to overlay the screen with a phishing screen for logging in to various banks and financial institutions and steal login data and then make unauthorized transactions.
Zimperium analysts analyzing these new malware variants noticed an unlock screen that mimics the real Android unlock screen, the purpose of which is to steal the user’s unlock pattern or PIN.
“A deceptive user interface is an HTML page hosted on an external website and displayed in full screen mode on the device, making it look like a real screen,” explains Zimperium. “When a user enters their unlock pattern or PIN, the page streams the recorded PIN or pattern details, along with the device’s unique identifier (Android ID) to a PHP script.”
PIN theft allows attackers to unlock a device when it is assumed to be unattended, possibly at late hours, in order to commit fraud.
Due to inadequately secured C2 infrastructure, Zimperium was able to obtain data that at least 13,000 victims were affected by this malware. Most of the victims are from Canada, followed by the United Arab Emirates, Turkey and Germany. But this is data from only a few C2 servers, so the total number of victims is probably much higher.
In addition, the researchers say that TrickMo’s scope is broad enough to cover non-bank applications and accounts, including VPNs, streaming platforms, e-commerce platforms, social networks and enterprise platforms.
TrickMo is currently being spread via phishing. So avoid downloading APKs from URLs sent via SMS or direct messages from people you don’t know.
Google Play Protect blocks known variants of the TrickMo malware, so you should check if this protection is active on your device, which could be crucial in defending against this malware.
Photo: Cimperium
Source: www.informacija.rs
