Cybersecurity researchers have identified a new version of the Android banking trojan, TrickMo, which uses advanced techniques to avoid detection and steal users’ banking credentials.
This malicious software tricks users into revealing sensitive information by displaying fake login screens and employing various anti-analysis mechanisms, including malformed ZIP files and a dropper app that avoids detection.
TrickMo has been targeting Android users, especially in Germany, since its discovery in 2019. Initially designed to steal one-time passwords (OTPs) and two-factor authentication (2FA) codes, the malware has evolved to become even more stealthy.
It now records screen activity, captures keystrokes, harvests SMS messages and photos, and takes control of infected devices to carry out on-device fraud (ODF). By abusing Android’s accessibility services, TrickMo performs unauthorized actions such as overlaying HTML login screens and controlling gestures and clicks on the device.
A key element of the attack involves a malicious dropper app disguised as Google Chrome. Once installed, the app prompts the user to update Google Play Services, downloading the TrickMo payload in the process.
The user is then tricked into granting accessibility permissions, which gives the malware extensive control over the device. This allows it to intercept SMS messages, hijack authentication codes, perform HTML overlay attacks, and even prevent the uninstallation of certain apps.
Researchers found misconfigurations in the command-and-control (C2) server linked to TrickMo, revealing 12 GB of stolen data, including credentials and images.
These servers also hosted fake login pages for banks and cryptocurrency platforms, such as ATB Mobile, Alpha Bank, and Binance. The poor security of the C2 server exposes victims’ data to exploitation by other cybercriminals, increasing the risk of identity theft, unauthorized fund transfers, and account hijacking.
In response to these threats, Google has taken steps to enhance Android’s security by tightening sideloading protocols and requiring users to download apps through Google Play. These updates aim to close security loopholes that malicious actors like TrickMo exploit.
To prevent falling victim to this type of malware, Android users should avoid installing apps from unknown sources and be cautious when granting accessibility permissions to any app. Regularly reviewing installed apps and permissions is also a good practice to ensure no malicious software has compromised your device.