Sep 13, 2024
Ravie Lakshmanan
Cybersecurity researchers have uncovered a new variant of an Android banking trojan called TrickMo that comes packed with new capabilities to evade analysis and display fake login screens to capture victims’ banking credentials.
“The mechanisms include using malformed ZIP files in combination with JSONPacker,” Cleafy security researchers Michele Roviello and Alessandro Strino said. “In addition, the application is installed through a dropper app that shares the same anti-analysis mechanisms.”
“These features are designed to evade detection and hinder cybersecurity professionals’ efforts to analyze and mitigate the malware.”
TrickMo, first caught in the wild by CERT-Bund in September 2019, has a history of targeting Android devices, particularly targeting users in Germany to siphon one-time passwords (OTPs) and other two-factor authentication (2FA) codes to facilitate financial fraud.
The mobile-focused malware is assessed to be the work of the now-defunct TrickBot e-crime gang, continually improving its obfuscation and anti-analysis features to evade detection.
Notable among the features are its ability to log keystrokes, harvest photos and SMS messages, and abuse Android’s accessibility services API to carry out attacks on the device.