TrickMo
TrickMo is a spyware program that collects information related to password confirmation for banking activity, from Android mobile phones, especially. Its usage correlates with the presence of Trojan.TrickBot on an associated desktop computer, with its campaign targeting individuals in Germany currently. Users should disable any cellular and wireless connections on their phones before removing TrickMo through suitable anti-malware products and similarly disinfecting their computers.
A New Trick in a Banking Trojan's Bag
The threat actors with a history rich in black hat tools like the Dyreza Trojan and BazarBackdoor are up to new tricks with another enhancement to the long-updated and multi-functional Trojan.TrickBot. This notorious banking Trojan also doubles as a Trojan delivery vehicle and generalized data collecter and has extra help with a 'new' phone application. The application, TrickMo, works around banks' latest security measures by intercepting account notifications and passwords.
Trojan.TrickBot installs TrickMo on Android phones by representing it as a security application to the victim. TrickMo can self-activate whenever the device becomes interactive or after receiving an SMS message – which synergizes with one of its optional Command & Control methods. A particular danger that malware experts note is that, due to the use of SMS technology, TrickMo can receive commands and conduct attacks without needing an internet connection, by using a cellular network as a replacement.
Predictably, TrickMo has the motives of a banking Trojan sub-type of spyware. It passes off the data that it collects to the threat actor periodically and can snatch image files, one-time passwords like TANs that authorize bank account access, SMS messages of all types and device info (battery life, for instance). TrickMo also can disguise its exfiltration of information with a fake lock screen that looks like an Android update, and can self-uninstall after it finishes its work.
Tackling a Multiple-Hardware Security Problem
The threat actor demonstrates a years-dedicated and professional attitude towards hacking between ancillary threats like the PowerTrick and Anchor backdoor Trojans and the long-running update and maintenance of Trojan.TrickBot. TrickMo's current deployment seems focused on Germany solely, but its suitability for deployment elsewhere in Europe and the rest of the world remains self-evident. Victims should consider all TrickMo infections as symptomatic of additional threats, spyware, and otherwise on their desktop PCs.
TrickMo's payload includes highly-invasive and configurable (by turning them on or off through C&C commands) features for collecting data, but mainly, for facilitating fraudulent banking transactions. Users should monitor their bank account histories for possible symptoms and also watch for similar signs of other hijacked accounts, courtesy of Trojan.TrickBot and its supporting Trojans. Disabling all network connectivity, including WiFi and cellular, is a priority objective in infection scenarios.
Similarly to the unrelated xHelper, TrickMo also prevents users from uninstalling the threatening application. Users should let professional, Android-compatible anti-malware services remove TrickMo, when possible.
TrickMo's extension of Man-in-the-Middle attack techniques to Man-in-the-Mobile ones makes it a potent recruit in the army of Trojan.TrickBot. Mobile device owners will need to maintain an ever-heightened awareness of the synergies between computer and phone vulnerabilities, and protect their bank accounts that much more strongly.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.