TrickMo Android Trojan Exploits Accessibility Services to Steal Banking Credentials

TrickMo, an advanced Android banking trojan, has resurfaced with new capabilities aimed at exploiting Android's accessibility services to conduct on-device fraud (ODF). Initially detected in 2019, the malware continues to evolve with obfuscation techniques to remain undetected, now featuring malicious mechanisms to capture banking credentials and bypass two-factor authentication (2FA) codes, targeting users in Germany and beyond.

  • Exploiting Accessibility Services: TrickMo abuses Android's accessibility services, which are meant to assist users with disabilities, to gain extensive control over the infected device. This elevated access allows the malware to intercept SMS messages, manipulate notifications, execute HTML overlay attacks, and even perform gestures on the device to steal user credentials.
  • Fake Login Screens and Phishing Attacks: The trojan displays deceptive login screens that mimic legitimate banking or service portals, tricking victims into entering their credentials. The HTML overlay attacks enable TrickMo to capture sensitive information like banking login details, making it easier for cybercriminals to conduct fraudulent activities.
  • Remote Device Control: The malware allows attackers to remotely control infected devices, enabling on-device fraud. By controlling the device, cybercriminals can authorize transactions, make unauthorized fund transfers, and hide any evidence of their activities from the user.
  • Anti-Analysis and Obfuscation Techniques: TrickMo employs advanced anti-analysis features such as malformed ZIP files and JSONPacker to avoid detection by cybersecurity professionals. The dropper app that installs the malware masquerades as the Google Chrome browser, deceiving users into enabling harmful accessibility settings under the guise of Google Services updates.

The malicious activity conducted by TrickMo puts victims' financial information at high risk. The malware captures OTPs and 2FA codes, enabling cybercriminals to bypass security measures and complete unauthorized transactions. Furthermore, the malware’s ability to collect personal data, including SMS messages, photos, and credentials, leads to identity theft, account takeovers, and long-term financial and reputational damage.

  1. Avoid Sideloading Apps: Always download apps from official sources like Google Play Store. Be wary of third-party downloads or updates, especially those pushed through unofficial channels.
  2. Monitor App Permissions: Pay close attention to the permissions requested by apps. If an app requests access to accessibility services without a valid reason, avoid granting it.
  3. Enable Play Protect: Ensure Google Play Protect is enabled to scan for potentially harmful apps and alert you to suspicious activity.
  4. Regular Updates: Keep your device’s operating system and apps up to date to ensure the latest security patches are applied.
  5. Use Multi-Factor Authentication: Enable 2FA wherever possible, and use hardware tokens or app-based authenticators instead of SMS-based 2FA, which can be intercepted by malware like TrickMo.

TrickMo is a sophisticated banking trojan that highlights the growing threat landscape in mobile cybersecurity. By abusing accessibility services and using advanced anti-analysis techniques, it remains a serious threat to users. Vigilance and robust security practices are essential to protect against such threats. Fortifying your device with solutions like NPAV Mobile Security can provide additional protection from mobile malware, helping to safeguard your financial and personal information.