Only recently we talked about how TrickBot uses hacked systems for brute force attacks on RDP, and today IBM experts discovered that the banking Trojan TrickBot has its own Android application that helps bypass the two-factor authentication that is used by banks.
This application intercepts one-time security codes from SMS messages and transfers them to the managing server, and next to its operators.Researchers say that Windows users infected with the desktop version of TrickBot are exposed to such attacks. The TrickMo application appeared in the fall of last year, firstly specialists of the German CERT drew attention to it.
Beware of TrickMo’s online banking. On infected PCs, TrickMo displays a request for a mobile phone number and device type during online banking, and then prompts users to install the alleged security application”, – wrote German experts.
Currently, TrickMo is used very selectively and so far is not widespread. According to IBM, so far it is used against German users, as two-factor authentication is widely used in German banks, and Germany has always served as a testing ground for new TrickBot features.
TrickMo spreads with the TrickBot web injections, that is a functionality, which content to be injected into the infected user’s browser. So, if TrickBot detects that the user is accessing the sites of certain banks, he creates a web page on which he prompts the user to download and install a fake security solution that supposedly “protects accounts”. In fact, this application, which pretends to be Avast mobile antivirus, contains the TrickMo malware.
As soon as the user installs this fake antivirus, it asks the victim for access to the Accessibility service. TrickMo fully uses the privileges obtained in this way to interact with the victim’s device (without any user interaction) and generate the necessary taps on the screen“, – write IBM researchers.
TrickMo also sets itself up as the default SMS application. This allows intercepting any SMS messages received on the device, for example, sent by banks.
Additionally, the malware is able to intercept one-time codes sent in the form of push notifications. To do this, TrickMo uses the Accessibility service capabilities to record the application screen and sends the received data to the attackers’ server.
According to IBM, TrickMo has other options besides collecting one-time codes. For example, the malware also collects information about the device, and then sends to its operators for fingerprinting. Thus, TrickBot operators can reproduce the “fingerprints” of the victim during the execution of fraudulent transactions, giving the bank the impression that the operation occurred from a legitimate device.
In addition, TrickMo has a screen lock function, although it is not used for extortion purposes. Instead, TrickMo locks the screen to hide its malicious activity from the. So, the malware uses a fake full-screen Android update message to hide its operations and steal one-time codes”, – tell IBM experts.
It is equally important that the malware possesses a self-destruct function, which, according to IBM experts, hackers use after stealing money if they want to get rid of all the evidence of their presence on the device.
Interestingly, TrickMo is by far not the first satellite malware, although in general this phenomenon is rare. Even the name TrickMo itself is a reference to ZitMo, an Android application created by Zeus malware developers in 2011. ZitMo was also used to bypass 2FA bank accounts.