S0427 TrickMo
TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.1
TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.1
| Item | Value |
|---|---|
| ID | S0427 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 24 April 2020 |
| Last Modified | 11 September 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1438 | Alternate Network Mediums | TrickMo can be controlled via encrypted SMS message.1 |
| mobile | T1418 | Application Discovery | TrickMo can collect a list of installed applications.1 |
| mobile | T1402 | Broadcast Receivers | TrickMo registers for the SCREEN_ON and SMS_DELIVER intents to perform actions when the device is unlocked and when the device receives an SMS message.1 |
| mobile | T1412 | Capture SMS Messages | TrickMo can intercept SMS messages.1 |
| mobile | T1533 | Data from Local System | TrickMo can steal pictures from the device.1 |
| mobile | T1446 | Device Lockout | TrickMo can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.1 |
| mobile | T1523 | Evade Analysis Environment | TrickMo can detect if it is running on a rooted device or an emulator.1 |
| mobile | T1516 | Input Injection | TrickMo can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.1 |
| mobile | T1406 | Obfuscated Files or Information | TrickMo contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java’s PBEWithMD5AndDES algorithm.1 |
| mobile | T1513 | Screen Capture | TrickMo can use the MediaRecorder class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.1 |
| mobile | T1582 | SMS Control | TrickMo can delete SMS messages.1 |
| mobile | T1437 | Standard Application Layer Protocol | TrickMo communicates with the C2 by sending JSON objects over unencrypted HTTP requests.1 |
| mobile | T1426 | System Information Discovery | TrickMo can collect device information such as network operator, model, brand, and OS version.1 |
| mobile | T1422 | System Network Configuration Discovery | TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.1 |
| mobile | T1576 | Uninstall Malicious Application | TrickMo can uninstall itself from a device on command by abusing the accessibility service.1 |