New Trojan Variant Steals Android Unlock Patterns and PINs

A newly discovered variant of the Android banking trojan TrickMo now includes capabilities to steal a device’s unlock pattern or PIN, enabling attackers to control the device even while it’s locked.

First identified in 2019 and linked to the notorious TrickBot cybercrime group, TrickMo has evolved significantly, now exploiting Android’s accessibility services to capture sensitive data like one-time passwords (OTPs) and credentials via deceptive overlay screens.

Recent reports revealed that these new versions of TrickMo can present a fake unlock screen to trick users into entering their pattern or PIN. This fraudulent interface, designed to closely mimic a real unlock screen, is displayed using an HTML page hosted externally.

When a user enters their credentials, the data along with a unique device identifier—is sent to a server controlled by the attackers.

Researchers found vulnerabilities in the command-and-control (C2) servers used by TrickMo, revealing data from over 13,000 devices across Canada, the UAE, Turkey, and Germany. The stolen information isn’t limited to banking details; it also includes credentials for corporate networks, such as VPN access and internal websites.

The scope of TrickMo’s targeting is broad, affecting various categories like banking, e-commerce, enterprise applications, healthcare, telecom, and entertainment. As mobile devices increasingly serve as entry points for cyberattacks, the need for stronger protections becomes evident.

Additionally, a new Android banking trojan campaign, dubbed ErrorFather, has emerged, based on repurposed Cerberus malware. This campaign highlights the ongoing threat posed by recycled malware, as cybercriminals continue to exploit leaked source code from older malware to carry out attacks.

According to recent findings, mobile banking attacks surged by 29% between June 2023 and April 2024. India emerged as the top target, accounting for 28% of all attacks, followed by the U.S., Canada, South Africa, and several other countries.

To protect against trojans like TrickMo, users and organizations should ensure their mobile devices are equipped with updated security software and avoid installing apps from untrusted sources. Regular security checks and endpoint protection for mobile devices should also be enforced.