Security researchers have uncovered the newest tricks in TrickMo’s playbook. The latest variant of TrickMo can steal a user’s device PIN or pattern. This new feature also allows threat actors to use the device while it is locked. The malware shows an HTML page displayed in full-screen mode, designed to replicate the Android unlock screen. Once the user enters their PIN or pattern, the malware transmits the information and the device’s Android ID through a PHP script to the threat actors.

TrickMo comes equipped with a growing list of capabilities, including:

  • One-Time Password (OTP) Interception
  • Screen Recording and Keylogging
  • Remote Control
  • Data Exfiltration
  • Abuse of Accessibility Services
  • Obfuscation and Anti-Analysis Techniques

Researchers also discovered 40 recent variants of TrickMo, which utilized 16 droppers and 22 command and control (C2) servers. Through their investigations, researchers accessed several of the C2 servers and found 13,000 unique victim IP addresses. These addresses were primarily located in Canada, but targets were seen worldwide.

Recommendations:

  • Refrain from clicking links in text messages and direct messages from unverified sources.
  • Users are advised to only download applications from official sources.
  • Review requested permissions and refrain from granting access to the “Accessibility Services.”
  • Keep Google Play Protect enabled on all Android devices.

This information was published in the NJCCIC  WEEKLY BULLETIN – October 17, 2024