A particularly nefarious Banking Trojan, TrickBot, has reemerged, this time with an Android variant named “TrickMo” – a reference to a similar strain of banking malware earlier observed by IBM researchers called “ZitMo” developed by the Zeus cybercriminal group. Cyble Research and Intelligence Labs conducted a deep dive into the latest variant of TrickMo in their recent analysis. 

Initially identified in September 2019, TrickMo has made a reappearance in the Banking Trojan space with enhanced capabilities. The variants of TrickMo that Cyble Research and Intelligence Labs have observed all leverage JsonPacker to conceal their code.

While this is fairly common for newer banking Trojans, the latest iteration of TrickMo contains enhanced capabilities to carry out other activities, such as exfiltrating device screen content, downloading runtime modules, and overlay injection, to name a few.  

TrickMo Banking Trojan

The Overlay Injection, or Overlay Attack as it is often called, is a notable differentiator from earlier iterations of TrickMo, which primarily relied on screen recording to capture details.

Overlay Attack, by comparison, is relatively more sophisticated and efficient, showcasing the evolution of TrickMo since its inception in 2019 and subsequent iterations in 2020 and 2021.

The applications targeted by this iteration of TrickMo malware are typically banking apps and browsers, in keeping with Banking Trojan behavior observed in the past. 

The Clicker function is preloaded with a set of applications defined by the malware author, upon which TrickMo will auto-click to execute with a set of pre-defined filters and actions to carry out information-stealing activities.

The malware can then successfully auto-execute these applications and activities on the compromised device without the victim’s knowledge – indicating the level of evolution that TrickMo has undergone in recent years. 

In a similar theme, TrickMo has done away with its reliance on screen recording via the MediaProjection API in favor of collecting Accessibility event logs instead to gather data from the running applications that it initiates via the Clicker function.

The Accessibility event log data is sent back to the malware author in the form of a zip file after collection from the victim’s device. 

It’s worth noting that the Accessibility Service built into Android Operating Systems typically deters such activities, which is why one of the prerequisites for TrickMo to run successfully on a target device is for the intended victim to allow the application Accessibility Service access, something TrickMo will repeatedly prompt them to do. 

With these new features, TrickMo’s expanded arsenal stands at a current total of 45 commands, each with its own designated malicious purpose to either compromise or exfiltrate sensitive data from victims’ devices. 

While this is definitely a sophisticated and dangerous strain of malware, exercising some basic cyber-hygiene can help mobile users secure themselves from TrickMo and other similar malware. We have listed a few of these steps below:

• Update your operating system on all your devices regularly 
• Do not download applications from unverified sources such as sideloading or links. Ensure that any applications you are running are from official software platforms such as Google Play Store and the iOS App Store 
• Be wary of granting Accessibility Service access to any application 
• Run strong, reputed antivirus and anti-malware software on your devices to detect and quarantine malware 
• Do not open links or attachments sent to your mobile device, particularly from unknown senders, without verifying their authenticity first 

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Related