TrickBot uses a malicious Android app to bypass 2FA by various banks

TrickBot malware developers released malicious Android application to bypass the two-factor authentication protection used by various banks

TrickBot bypasses online banking 2FAMobile applications bypassing authentication pushed by TrickBot malware. Malware authors released a new Android application that can intercept one-time authorization codes sent to various online banking customers via SMS or push notification. This way bypassing the security and completing fraudulent transactions.[1] This malicious app is developed to intercept a wide range of transaction authentication numbers including one-time password, mobile TAN and pushTAN authentication codes.[2]

Although it was first spotted in September 2019,[3] then it was camouflaged as security utilities and only targeted German users. Right now these applications aim all over the globe. The TrickMo app gets updated and is pushed via infected desktops of victims due to the web injects in online banking sessions, according to the newest report from IBM X-Force researchers.[4] Germany was one of the first targets of the TrickBot banking trojan, so users whose desktops have been affected by the malware remain targets in this campaign.

From our analysis of the TrickMo mobile malware, it is apparent that TrickMo is designed to break the newest methods of OTP and, specifically, TAN codes often used in Germany.

A handful of features including persistency

This malware is capable of preventing users from uninstalling the malicious application as it sets itself as a go-to SMS app and monitors running applications, scrapes text from the screen directly. Android devices have many dialog screens that require permission or denial to take actions, so the user needs to tap the screen. TrickMo can access the service and control these screens making its own decisions before showing choices for the user. This is how malware can delete SMS messages and forward them to its masters, so the victim cannot be aware that their device received a text message with the needed 2FA code from the bank service.

Registering the receiver on the infected system that will listen for android.intent.action.SCREEN_ON and android.provider.Telephony.SMS_DELIVER broadcasts allow the malware to gain persistence too. When the SMS is received, the screen turns on, or the phone is rebooted malicious app can also restart itself.

The more recent updates of the code show that right now TrickMo has features to:

  • steal device information;
  • intercept SMS messages;
  • record applications for OTP, mTAN and pushTAN theft;
  • lock the phone completely;
  • steal pictures from the phone;
  • self-destruct and remove all traces.

The name TrickMo comes from researchers due to a similar kind of malware

TrickBot malware creators are not the first ones who released mobile malicious application. Zeus virus creator gang released a similar Android banking malware called ZitMo back in 2011. The name was assigned by researchers, based on these similarities between desktop trojan groups that develop accompanying Android applications.

This is, however, pretty rare and strange because banking trojans support features for bypassing 2FA but you don't need additional desktop trojan to operate on mobile devices. Researchers may speculate that since TrickBot is one of the biggest threats there might be something more behind the new updates of the malicious mobile app.

According to our research, TrickMo is still under active development as we expect to see frequent changes and updates.

This banking trojan started as a virus in 2010 and evolved into a CaaS operation that makes money by allowing other actors to deploy the second-stage malware attacks on already infected hosts.[5]

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions