Cybersecurity researchers have uncovered a new variant of an Android banking trojan called TrickMo that comes packed with new capabilities to evade analysis and display fake login screens to capture victims' banking credentials.
"The mechanisms include using malformed ZIP files in combination with JSONPacker," Cleafy security researchers Michele Roviello and Alessandro Strino said. "In addition, the application is installed through a dropper app that shares the same anti-analysis mechanisms."
"These features are designed to evade detection and hinder cybersecurity professionals' efforts to analyze and mitigate the malware."
TrickMo, first caught in the wild by CERT-Bund in September 2019, has a history of targeting Android devices, particularly targeting users in Germany to siphon one-time passwords (OTPs) and other two-factor authentication (2FA) codes to facilitate financial fraud.
The mobile-focused malware is assessed to be the work of the now-defunct TrickBot e-crime gang, over time continually improving its obfuscation and anti-analysis features to fly under the radar.
Notable among the features are its ability to record screen activity, log keystrokes, harvest photos and SMS messages, remotely control the infected device to conduct on-device fraud (ODF), and abuse Android's accessibility services API to carry out HTML overlay attacks as well as perform clicks and gestures on the device.
The malicious dropper app discovered by the Italian cybersecurity company masquerades as the Google Chrome web browser that, when launched after installation, urges the victim to update Google Play Services by clicking the Confirm button.
Should the user proceed with the update, an APK file containing the TrickMo payload is downloaded to the device under the guise of "Google Services," following which the user is asked to enable accessibility services for the new app.
"Accessibility services are designed to assist users with disabilities by providing alternative ways to interact with their devices," the researchers said. "However, when exploited by malicious apps like TrickMo, these services can grant extensive control over the device."
"This elevated permission allows TrickMo to perform various malicious actions, such as intercepting SMS messages, handling notifications to intercept or hide authentication codes, and executing HTML overlay attacks to steal user credentials. Additionally, the malware can dismiss keyguards and auto-accept permissions, enabling it to integrate seamlessly into the device's operations."
Furthermore, the abuse of the accessibility services allows the malware to disable crucial security features and system updates, auto-grant permissions at will, and prevent the uninstallation of certain apps.
Cleafy's analysis also uncovered misconfigurations in the command-and-control (C2) server that made it possible to access 12 GB worth of sensitive data exfiltrated from the devices, including credentials and pictures, without requiring any authentication.
The C2 server also hosts the HTML files used in the overlay attacks. These files encompass fake login pages for various services, counting banks such as ATB Mobile and Alpha Bank and cryptocurrency platforms like Binance.
The security lapse not only highlights the operational security (OPSEC) blunder on the part of the threat actors, but also puts the victims' data at risk of exploitation by other threat actors.
The wealth of information exposed from TrickMo's C2 infrastructure could be leveraged to commit identity theft, infiltrate various online accounts, conduct unauthorized fund transfers, and even make fraudulent purchases. Even worse, attackers could hijack the accounts and lock the victims out by resetting their passwords.
"Using personal information and images, the attacker can craft convincing messages that trick victims into divulging even more information or executing malicious actions," the researchers noted.
"Exploiting such comprehensive personal data results in immediate financial and reputational damage and long-term consequences for the victims, making recovery a complex and prolonged process."
The disclosure comes as Google has been plugging the security holes around sideloading to let third-party developers determine if their apps are sideloaded using the Play Integrity API and, if so, require users to download the apps from Google Play in order to continue using them.
Update
A Google spokesperson told The Hacker News that it did not find any evidence of the malware being distributed via the Google Play Store, and that users are protected against known versions of the threat by Google Play Protect, which is enabled by default on Android devices with Google Play Services.