Skip to content

S0427 TrickMo

TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.1

TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.1

Item Value
ID S0427
Associated Names
Version 1.1
Created 24 April 2020
Last Modified 11 September 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols TrickMo communicates with the C2 by sending JSON objects over unencrypted HTTP requests.1
mobile T1533 Data from Local System TrickMo can steal pictures from the device.1
mobile T1624 Event Triggered Execution -
mobile T1624.001 Broadcast Receivers TrickMo registers for the SCREEN_ON and SMS_DELIVER intents to perform actions when the device is unlocked and when the device receives an SMS message.1
mobile T1629 Impair Defenses -
mobile T1629.002 Device Lockout TrickMo can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.1
mobile T1630 Indicator Removal on Host -
mobile T1630.001 Uninstall Malicious Application TrickMo can uninstall itself from a device on command by abusing the accessibility service.1
mobile T1516 Input Injection TrickMo can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.1
mobile T1406 Obfuscated Files or Information TrickMo contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java’s PBEWithMD5AndDES algorithm.1
mobile T1644 Out of Band Data TrickMo can be controlled via encrypted SMS message.1
mobile T1636 Protected User Data -
mobile T1636.004 SMS Messages TrickMo can intercept SMS messages.1
mobile T1513 Screen Capture TrickMo can use the MediaRecorder class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.1
mobile T1582 SMS Control TrickMo can delete SMS messages.1
mobile T1418 Software Discovery TrickMo can collect a list of installed applications.1
mobile T1426 System Information Discovery TrickMo can collect device information such as network operator, model, brand, and OS version.1
mobile T1422 System Network Configuration Discovery TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.1
mobile T1633 Virtualization/Sandbox Evasion -
mobile T1633.001 System Checks TrickMo can detect if it is running on a rooted device or an emulator.1