TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.[1]

TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.[1]

ID: S0427
Platforms: Android
Contributors: Ohad Mana, Check Point; Aviran Hazum, Check Point; Sergey Persikov, Check Point
Version: 1.1
Created: 24 April 2020
Last Modified: 11 September 2020

Techniques Used

Domain ID Name Use
Mobile T1438 Alternate Network Mediums

TrickMo can be controlled via encrypted SMS message.[1]

Mobile T1418 Application Discovery

TrickMo can collect a list of installed applications.[1]

Mobile T1402 Broadcast Receivers

TrickMo registers for the SCREEN_ON and SMS_DELIVER intents to perform actions when the device is unlocked and when the device receives an SMS message.[1]

Mobile T1412 Capture SMS Messages

TrickMo can intercept SMS messages.[1]

Mobile T1533 Data from Local System

TrickMo can steal pictures from the device.[1]

Mobile T1446 Device Lockout

TrickMo can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.[1]

Mobile T1523 Evade Analysis Environment

TrickMo can detect if it is running on a rooted device or an emulator.[1]

Mobile T1516 Input Injection

TrickMo can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.[1]

Mobile T1406 Obfuscated Files or Information

TrickMo contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java’s PBEWithMD5AndDES algorithm.[1]

Mobile T1513 Screen Capture

TrickMo can use the MediaRecorder class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.[1]

Mobile T1582 SMS Control

TrickMo can delete SMS messages.[1]

Mobile T1437 Standard Application Layer Protocol

TrickMo communicates with the C2 by sending JSON objects over unencrypted HTTP requests.[1]

Mobile T1426 System Information Discovery

TrickMo can collect device information such as network operator, model, brand, and OS version.[1]

Mobile T1422 System Network Configuration Discovery

TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.[1]

Mobile T1576 Uninstall Malicious Application

TrickMo can uninstall itself from a device on command by abusing the accessibility service.[1]