TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.[1]

TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.[1]

ID: S0427
Platforms: Android
Contributors: Ohad Mana, Check Point; Aviran Hazum, Check Point; Sergey Persikov, Check Point
Version: 1.1
Created: 24 April 2020
Last Modified: 11 September 2020

Techniques Used

Domain ID Name Use
Mobile T1437 .001 Application Layer Protocol: Web Protocols

TrickMo communicates with the C2 by sending JSON objects over unencrypted HTTP requests.[1]

Mobile T1533 Data from Local System

TrickMo can steal pictures from the device.[1]

Mobile T1624 .001 Event Triggered Execution: Broadcast Receivers

TrickMo registers for the SCREEN_ON and SMS_DELIVER intents to perform actions when the device is unlocked and when the device receives an SMS message.[1]

Mobile T1629 .002 Impair Defenses: Device Lockout

TrickMo can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.[1]

Mobile T1630 .001 Indicator Removal on Host: Uninstall Malicious Application

TrickMo can uninstall itself from a device on command by abusing the accessibility service.[1]

Mobile T1516 Input Injection

TrickMo can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.[1]

Mobile T1406 Obfuscated Files or Information

TrickMo contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java’s PBEWithMD5AndDES algorithm.[1]

Mobile T1644 Out of Band Data

TrickMo can be controlled via encrypted SMS message.[1]

Mobile T1636 .004 Protected User Data: SMS Messages

TrickMo can intercept SMS messages.[1]

Mobile T1513 Screen Capture

TrickMo can use the MediaRecorder class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.[1]

Mobile T1582 SMS Control

TrickMo can delete SMS messages.[1]

Mobile T1418 Software Discovery

TrickMo can collect a list of installed applications.[1]

Mobile T1426 System Information Discovery

TrickMo can collect device information such as network operator, model, brand, and OS version.[1]

Mobile T1422 System Network Configuration Discovery

TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.[1]

Mobile T1633 .001 Virtualization/Sandbox Evasion: System Checks

TrickMo can detect if it is running on a rooted device or an emulator.[1]