S0427 TrickMo
TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.1
TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.1
| Item | Value |
|---|---|
| ID | S0427 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 24 April 2020 |
| Last Modified | 11 September 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | TrickMo communicates with the C2 by sending JSON objects over unencrypted HTTP requests.1 |
| mobile | T1533 | Data from Local System | TrickMo can steal pictures from the device.1 |
| mobile | T1624 | Event Triggered Execution | - |
| mobile | T1624.001 | Broadcast Receivers | TrickMo registers for the SCREEN_ON and SMS_DELIVER intents to perform actions when the device is unlocked and when the device receives an SMS message.1 |
| mobile | T1629 | Impair Defenses | - |
| mobile | T1629.002 | Device Lockout | TrickMo can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.1 |
| mobile | T1630 | Indicator Removal on Host | - |
| mobile | T1630.001 | Uninstall Malicious Application | TrickMo can uninstall itself from a device on command by abusing the accessibility service.1 |
| mobile | T1516 | Input Injection | TrickMo can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.1 |
| mobile | T1406 | Obfuscated Files or Information | TrickMo contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java’s PBEWithMD5AndDES algorithm.1 |
| mobile | T1644 | Out of Band Data | TrickMo can be controlled via encrypted SMS message.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.004 | SMS Messages | TrickMo can intercept SMS messages.1 |
| mobile | T1513 | Screen Capture | TrickMo can use the MediaRecorder class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.1 |
| mobile | T1582 | SMS Control | TrickMo can delete SMS messages.1 |
| mobile | T1418 | Software Discovery | TrickMo can collect a list of installed applications.1 |
| mobile | T1426 | System Information Discovery | TrickMo can collect device information such as network operator, model, brand, and OS version.1 |
| mobile | T1422 | System Network Configuration Discovery | TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.1 |
| mobile | T1633 | Virtualization/Sandbox Evasion | - |
| mobile | T1633.001 | System Checks | TrickMo can detect if it is running on a rooted device or an emulator.1 |