TrickMo

TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.^[1]

TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.^[1]

ID: S0427

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Contributors: Ohad Mana, Check Point; Aviran Hazum, Check Point; Sergey Persikov, Check Point

Version: 1.1

Created: 24 April 2020

Last Modified: 11 September 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Mobile	T1437	.001	Application Layer Protocol: Web Protocols	TrickMo communicates with the C2 by sending JSON objects over unencrypted HTTP requests.^[1]
Mobile	T1533		Data from Local System	TrickMo can steal pictures from the device.^[1]
Mobile	T1624	.001	Event Triggered Execution: Broadcast Receivers	TrickMo registers for the `SCREEN_ON` and `SMS_DELIVER` intents to perform actions when the device is unlocked and when the device receives an SMS message.^[1]
Mobile	T1629	.002	Impair Defenses: Device Lockout	TrickMo can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.^[1]
Mobile	T1630	.001	Indicator Removal on Host: Uninstall Malicious Application	TrickMo can uninstall itself from a device on command by abusing the accessibility service.^[1]
Mobile	T1516		Input Injection	TrickMo can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.^[1]
Mobile	T1406		Obfuscated Files or Information	TrickMo contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java’s `PBEWithMD5AndDES` algorithm.^[1]
Mobile	T1644		Out of Band Data	TrickMo can be controlled via encrypted SMS message.^[1]
Mobile	T1636	.004	Protected User Data: SMS Messages	TrickMo can intercept SMS messages.^[1]
Mobile	T1513		Screen Capture	TrickMo can use the `MediaRecorder` class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.^[1]
Mobile	T1582		SMS Control	TrickMo can delete SMS messages.^[1]
Mobile	T1418		Software Discovery	TrickMo can collect a list of installed applications.^[1]
Mobile	T1426		System Information Discovery	TrickMo can collect device information such as network operator, model, brand, and OS version.^[1]
Mobile	T1422		System Network Configuration Discovery	TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.^[1]
		.001	Internet Connection Discovery	TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.^[1]
		.002	Wi-Fi Discovery	TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.^[1]
Mobile	T1633	.001	Virtualization/Sandbox Evasion: System Checks	TrickMo can detect if it is running on a rooted device or an emulator.^[1]

References

P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.

TrickMo

Mobile Layer

Techniques Used

References