IBM experts discoveredthat banking Trojan operators TrickBot have developed their own Android application that helps bypass the two-factor authentication used by banks. This application intercepts one-time security codes from SMS messages and transfers them to the managing server, to its operators.
Researchers say that Windows users infected with the desktop version of TrickBot are exposed to such attacks. The TrickMo application appeared in the fall of last year, and the first specialists of the German CERT drew attention to it.
⚠️ Aufgepasst beim #Online #Banking:#Emotet lädt #Trickbot nach. Auf infizierten PCs blendet Trickbot beim Online-Banking eine Abfrage nach der Mobiltelefonnummer und des Gerätetyps ein und fordert Nutzer anschließend zur Installation einer angeblichen Sicherheits-App auf. pic.twitter.com/QHfmYojZxK
– CERT-Bund (@certbund) September 20, 2019
Currently, TrickMo is used very selectively and so far is not widespread. According to IBM, so far it is used against German users, as two-factor authentication is widely used in German banks, and Germany has always served as a testing ground for new TrickBot features.
TrickMo spreads relying on TrickBot web injections, that is, on functionality that allows content to be injected into the infected user's browser. So, if TrickBot detects that the user is accessing the sites of certain banks, he creates a web page on which he prompts the user to download and install a fake security solution that supposedly “protects accounts”. In fact, this application, which pretends to be Avast mobile antivirus, contains the TrickMo malware.
As soon as the user installs this fake antivirus, it asks the victim for access to the Accessibility service. TrickMo fully uses the privileges thus obtained to interact with the victim’s device (without any user interaction) and generate the necessary taps on the screen. TrickMo also sets itself up as the default SMS application. This allows him to intercept any SMS messages received on the device, for example, sent by banks.
Also, the malware is able to intercept one-time codes sent in the form of push notifications. To do this, TrickMo uses the Accessibility service capabilities to record the application screen and sends the received data to the attackers server.
According to IBM, TrickMo has other options besides collecting one-time codes. For example, the malware also collects information about the device, which it then sends to its operators for fingerprinting. Thus, TrickBot operators can reproduce the “fingerprints” of the victim during the execution of fraudulent transactions, giving the bank the impression that the operation occurred from a legitimate device.
In addition, TrickMo has a screen lock function, although it is not used for extortion purposes. Instead, TrickMo locks the screen to hide its malicious activity from the user's eyes. So, the Malware uses a fake full-screen update message for Android to hide its operations and theft of one-time codes.
It is equally important that the malware has a self-destruct function, which, according to IBM experts, hackers use after stealing money if they want to get rid of all the evidence of their presence on the device.
Interestingly, TrickMo is not at all the first satellite malware, although in general this phenomenon is rare. Even the name TrickMo itself is a reference to Zitmo, An Android app created by Zeus Malvari developers in 2011. ZitMo was also used to bypass 2FA bank accounts.