The TrickBot banking Trojan creators have developed a new Android app which can intercept the two factor authorization codes sent to Internet banking customers via SMS or more secure push notifications, and perform fraudulent transactions.
IBM X-Force researchers have named the Android app as “TrickMo” and is under active development. It is aimed at German users whose desktops have been earlier infected with the TrickBot malware. They stated that TrickBot spread first to Germany when it first appeared in 2016.
The app has been named TrickMo as a direct reference to a similar kind of Android banking malware called ZitMo that was developed by Zeus cybercriminal gang in 2011 to bypass SMS-based two-factor authentication.
The malware which was initially found by the CERT-Bund in last September, the TrickMo campaign works by intercepting a wide range of transaction authentication numbers (TANs), including one-time password (OTP), mobile TAN (mTAN), and pushTAN authentication codes after victims install it on their Android devices.
According to the CERT-Bund’s advisory, the Windows computers infected by TrickBot employed man-in-the-browser attacks to ask victims for their online banking mobile phone numbers and device types to trick them to install a fake security app — now called TrickMo.
In SMS-based authentication, the messages can be easily hijacked by rogue third-party apps and are also vulnerable to SIM-swapping attacks. So, the banks are depending on push notifications for users, which has the transaction details and the TAN number.
To overcome this problem of getting the app’s push notifications, TrickMo makes use of Android’s accessibility features that let the app to record a video of the app’s screen, scrape the data displayed on the screen, monitor currently running applications and even set itself as the default SMS app.
It further prevents users of infected devices from uninstalling the app.
Once installed, TrickMo can attain resolution by starting itself after the device becomes interactive or after a new SMS message is received. Besides it has the technique to permit a remote attacker to issue commands to turn on/off specific features through a command-and-control (C2) server or an SMS message.
When the malware is running, it exfiltrates a large range of information such as
- Personal device information
- SMS messages
- Recording targeted applications for a one-time password (TAN)
In order to avoid suspicion while stealing the TAN codes, TrickMo activates the lock screen and prevemts the users from accessing their devices. It is done so by using a fake Android update screen to hide its OTP-stealing operations.
It also has the feature to self-destruct so that all traces of the malware’s presence can be removed from a device after a successful operation.
It is also possible to activate the kill switch by SMS. It is also possible to decrypt the encrypted SMS commands using an RSA private key embedded in the source code, thus making it possible to generate the public key and craft an SMS message that can turn the self-destruct feature on.
Even though the malware can be remotely removed by an SMS message, there are chances that a future version of the app could rectify the use of hard-coded key strings for decryption.
TrickMo is designed to help TrickBot break the most recent methods of TAN-based authentication. One of the most significant features of TrickMo is its recording feature, which provides TrickBot the ability to overcome the newer pushTAN app validations deployed by banks.