Banking malware is a type of hostile software that targets financial organizations and their clients. There is a rise in Android banking malware, which manipulates vulnerabilities in the Android operating system to steal exposed user data. Cleafy’s Threat Intelligence team just found a new Android banking malware dubbed “TrickMo,” which was located to be vigorously attacking users to steal login credentials.

TrickMo: New Android Banking Malware on the Rise

TrickMo is a new variant of Android banking malware that is derived from its predecessor, TrickBot. Rather than the traditional encoders, it employs refined anti-analysis methods like broken zip files, jsonpacker, and dropper apps, among other technologies, to avoid being noticed. Distribution of this malware is done by use of a dropper which is hidden as “Google Chrome,” and uses the Android Accessibility Services to authorize admin controls.

After installation, the TrickMo malware can catch one-time passwords for online banking services, record the screens, log keystrokes, and leverage remote access to infected devices. It engages in the exchange of data with the C2 server using the post strategy and sending device info as JSON to the /c endpoint and accepting commands, reads the Cleanfly news.

TrickMo uses a Clicker configuration (clicker.json) to automate actions via the Accessibility Service, targeting both system and utility applications. Its powers contain SMS interception, photo retrieval, screen recording, remote access, and HTML overlay attacks for credential stealing. The malware can modify the default SMS app, retrieve established app lists, and complete clicks and gestures on the appliance.

TrickMo’s C2 server is located to carry information that has been exfiltrated, including logs, credentials, and pictures, but lacks any authentication, revealing the victims to numerous hazard actors. TrickMo was first found and reported by CERT-Bund in 2019. They mostly target Banking applications within Europe considering majorly the German vocabulary as seen in the exact language settings in its Clicker.json file.

Investigation of the cloud strife installer’s container name (dreammes.ross431.in) or how it is unpacked (com.turkey.inner.Uactortrust) emphasizes very advanced techniques of its that are utilized in hiding as well as guarding the malware. The hack happened due to the Command and Control (C2) server was poorly configured which led to the leakage of 12 GB of victim data.

Some of the C2 server's necessary endpoints exposed the IP addresses of compromised appliances, operation logs, and HTML documents used to overlay for attacks on Banking and Crypto Currency Platforms. It also included CSV files containing stolen usernames and passwords as well as ZIP files that comprised pictures taken from hacked machines.

This leak, in individual, not only discloses a tactical error of the founders of TrickMo’s infrastructure but also improves the chance of this leakage being manipulated further. Danger actors can use these details to log on to someone’s account, commit identity robbery, and manage highly targeted phishing attacks. The data that is released contains both the attack surface and potential sources of physical attack, indicating that there should be comprehensive measures must be taken toward the enhancement of data protection systems in order to control such occurrences in the future.