TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.
TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.
|24 April 2020
|11 September 2020
|View In ATT&CK® Navigator
|Application Layer Protocol
|TrickMo communicates with the C2 by sending JSON objects over unencrypted HTTP requests.
|Data from Local System
|TrickMo can steal pictures from the device.
|Event Triggered Execution
|TrickMo registers for the
SMS_DELIVER intents to perform actions when the device is unlocked and when the device receives an SMS message.
|TrickMo can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.
|Indicator Removal on Host
|Uninstall Malicious Application
|TrickMo can uninstall itself from a device on command by abusing the accessibility service.
|TrickMo can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.
|Obfuscated Files or Information
|TrickMo contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java’s
|Out of Band Data
|TrickMo can be controlled via encrypted SMS message.
|Protected User Data
|TrickMo can intercept SMS messages.
|TrickMo can use the
MediaRecorder class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.
|TrickMo can delete SMS messages.
|TrickMo can collect a list of installed applications.
|System Information Discovery
|TrickMo can collect device information such as network operator, model, brand, and OS version.
|System Network Configuration Discovery
|TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.
|TrickMo can detect if it is running on a rooted device or an emulator.