A new variant of the TrickMo malware, a banking Trojan targeting Android devices, has emerged, raising significant concerns for mobile security. This version employs advanced techniques to bypass defenses and steal sensitive information, including device unlock patterns and PINs. Cybersecurity researchers from firms like Cleafy and Zimperium have identified these new features, which allow the malware to gain extensive control over infected devices and carry out unauthorized actions.
TrickMo deceives users by displaying a fake unlock screen that closely resembles the legitimate Android lock screen. When victims enter their unlock pattern or PIN, the malware captures the information and transmits it to an attacker-controlled server. This access enables cybercriminals to unlock the device remotely and perform malicious activities when the user is not actively monitoring their phone. Besides PIN theft, the Trojan also records screen activity, intercepts one-time passwords (OTPs), and exfiltrates data such as photos, SMS messages, and other credentials.
The malware exploits Android’s Accessibility Service to gain elevated permissions on the device. This allows TrickMo to perform various tasks, including disabling security features, blocking system updates, and even preventing app uninstallation. The malware’s sophisticated anti-analysis mechanisms make detection challenging, with tactics such as using malformed ZIP files and disguised dropper apps that impersonate legitimate applications like Google Chrome.
TrickMo Malware exposes sensitive data collected from infected devices
Researchers found a concerning flaw in the malware’s command-and-control (C2) infrastructure, which exposed sensitive data collected from infected devices. Misconfigurations in the C2 server allowed unauthorized access to thousands of records, including personal information, login credentials, and photos. TrickMo’s primary targets include users in countries such as Canada, Turkey, Germany, and the United Arab Emirates, but its impact reaches a global scale.
With TrickMo primarily spreading through phishing campaigns, experts advise Android users to avoid downloading APKs from unknown sources and ensure that Google Play Protect is active. Staying vigilant against suspicious messages and keeping device security features updated can help reduce the risk of infection.
{{user}} {{datetime}}
{{text}}