Stealthy TrickMo Trojan Now Steals Unlock Patterns and PIN Codes
Zimperium has uncovered 40 new variants of the TrickMo banking trojan, which has been equipped with advanced evasion techniques and covert data-stealing capabilities.
Despite the absence of official indicators of compromise (IoCs), experts identified 40 new versions of the malware, including 16 droppers and 22 active C2 servers, along with enhanced functionalities. The analysis revealed that many of these samples remain largely undetected by the general public.
Key features of the malware include:
- Interception of one-time passwords (OTP);
- Screen recording;
- Data theft;
- Remote control;
- Automatic granting of permissions and automated clicking on prompts;
- Exploitation of accessibility services;
- Display of overlays and credential theft.
These capabilities enable the malware to gain access to virtually all information on the device, potentially leading to unauthorized access to bank accounts and the execution of financial transactions without the device owner’s knowledge.
In addition to these functions, researchers discovered a new mechanism that allows attackers to steal graphic unlock patterns or PIN codes. The malware displays a fake unlock interface, mimicking the actual device screen. When the user inputs their pattern or PIN, this information, along with the device ID, is sent to a remote server.
The phishing interface is an HTML page hosted on an external website, displayed in full-screen mode on the device, making it appear identical to the genuine screen.
During the analysis, access was gained to several C2 servers, where files containing data from approximately 13,000 unique IP addresses of TrickMo victims were discovered. The primary targets of the attacks include Canada, the UAE, Turkey, and Germany. The list of IP addresses is regularly updated as the malware steals additional credentials. The total number of compromised devices is estimated to be in the millions, with the stolen data encompassing not only banking information but also credentials for accessing corporate resources, such as VPNs and internal services.
Currently, TrickMo is being distributed via phishing campaigns, so to minimize the risk of infection, avoid downloading APK files from links sent through SMS or personal messages from unknown individuals.
