A new android app has been developed by the malware authors behind TrickBot Banking Trojan that intercepts once authorisation codes sent to internet banking customers via SMS or fairly stable push alerts and transactions.
The Android program, which IBM X-Force researchers referred to as “TrickMo,” is under active development and has targeted primarily German users whose desktops have been compromised by malware from TrickBot.
“TrickBot spread to Germany when it first appeared in 2016,” IBM researchers said.
The TrickMo name refers to a specific kind of Android-banking malware known as ZitMo, which formed the Zeus Criminal Gang in 2011 to bypass SMS-based two-factor authentication. “They claim that TrickBot’s massive bank fraud was an ongoing effort that allows gangs to monetize stolen accounts.”
The latest development is the arsenal of developments in the banking Trojan which has since become morphic in the delivery of other malware including the well-known Ryuk ransomware, act as an information robber, loot Bitcoin bags and harvest emails.
Abusing Android’s Accessibility Features to Hijack OTP Codes
The TrickMo campaign, initially detected in the CERT-Bund last September, intercepts a broad range of Transaction Authentication numbers (TANs) including the OTP, Mobile TAN and PushTAN Authentication Codes after victims install them on Android.
The advisory from CERT-Bund went astray that Windows computers with TrickBot use man-in-the-browser (MitB) attacks to ask the victims to get their mobile phone numbers and device types to install a fake security application, which is now called TrickMo.
But, given the security threats faced by SMS-based authentication — messages can be easily intercepted by rogue third-party apps and are also susceptible to SIM-swapping attacks — banks are beginning to rely on user push notifications that include transaction information and TAN numbers.
To overcome this hurdle of getting hold of the app’s push notifications, TrickMo makes use of Android’s accessibility features that allow it to record a video of the app’s screen, scrap the data displayed on the screen, monitor applications currently running and even set itself as the default SMS app.
Moreover, it prevents infected computer users from uninstalling the app.
A Wide Range of Features
If enabled, TrickMo can also gain persistence by starting itself after the app becomes interactive or a new SMS message is received. It also features an intricate configuration system that allows commands to turn on / off different features (e.g. accessibility permissions, recording status, SMS device status) through a command-and-control (C2) server or SMS message.
When malware is running, it exfilters a wide variety of information, including — Personal computer details SMS messages Capturing targeted applications for one-time password (TAN) images But to avoid raising suspicion while stealing TAN codes, TrickMo triggers the lock screen, preventing users from accessing their devices. Specifically, it uses a fake Android update screen to hide OTP theft.
Finally, it comes with self-destruction and removal features, allowing the cybercrime gang behind TrickMo to delete all signs of malware activity from a computer after a successful operation.
The kill switch can also be triggered by SMS, but IBM researchers found it possible to decrypt the encrypted SMS commands using a hard-coded RSA private key embedded in the source code, allowing the generation of the public key and generating an SMS message that can turn the self-destruct function on.
Although this means that an SMS message will remotely delete the malware, it is safe to presume that a future version of the software will rectify using hard-coded key strings for decryption.
TrickBot trojan was one of the most active cybercrime malware strains in 2019,” IBM researchers concluded.
“From our review, it is clear that TrickMo is designed to help TrickBot crack the current TAN-based authentication methods. One of TrickMo’s most significant features is the device recording feature, which gives TrickBot the ability to resolve new pushTAN device validations deployed by banks.”
