TrickBot Bypasses Online Banking 2FA Protection via Mobile App

The TrickBot​​​​​ gang is using a malicious Android application they developed to bypass two-factor authentication (2FA) protection used by various banks after stealing transaction authentication numbers.

The Android app dubbed TrickMo by IBM X-Force researchers is actively being updated and it is currently being pushed via the infected desktops of German victims with the help of web injects in online banking sessions.

TrickBot's operators have designed TrickMo to intercept a wide range of transaction authentication numbers (TANs) including one-time password (OTP), mobile TAN (mTAN), and pushTAN authentication codes after victims install it on their Android devices.

Spotted for the first time in September 2019

TrickMo was initially spotted by CERT-Bund security researchers who said at the time that TrickBot-infected Windows computers will ask for the victims' online banking mobile phone numbers and device types to prompt them to install a bogus security app.

At the moment, the malicious app is only being pushed by the TrickBot operators only to German targets and it will "camouflage" itself as an 'Avast Security Control' app or as 'Deutsche Bank Security Control' utility.

Once installed on their phones, the app will forward text messages containing mTANs sent by the victims' banks to TrickBot's operators who can later use them to make fraudulent transactions.

Avast Security Control installation screen
Avast Security Control installation screen (Lukas Stefanko)

In a report analyzing TrickMo's capabilities published today, IBM X-Force researchers say that the malware is capable of preventing users of infected devices from uninstalling it, sets itself as the default SMS app, monitors running apps, and scrapes on-screen text.

"From our analysis of the TrickMo mobile malware, it is apparent that TrickMo is designed to break the newest methods of OTP and, specifically, TAN codes often used in Germany," IBM's researchers explain.

"Android operating systems include many dialog screens that require the denial, or approval, of app permissions and actions that have to receive input from the user by tapping a button on the screen.

"TrickMo uses accessibility services to identify and control some of these screens and make its own choices before giving the user a chance to react."

This allows the Android Trojan to delete SMS messages it forwards to its masters so that the victims are never aware that their devices received a text message with a 2FA code from their banks.

Wide range of 'features'

The malware is also capable of gaining persistence on infected Android devices by registering a receiver that will listen for android.intent.action.SCREEN_ON and android.provider.Telephony.SMS_DELIVER broadcasts to restart itself after a reboot when the screen turns on or an SMS is received.

TrickMo is heavily obfuscated to hinder analysis and it was recently updated, in January 2020, with code that checks if the malware is running on a rooted device or an emulator.

From its large array of capabilities, the IBM X-Force researchers highlighted TrickMo's main ones designed for:

• Stealing personal device information
• Intercepting SMS messages
• Recording targeted applications for one-time password (OTP)/mobile TAN (mTAN)/pushTAN theft
• Lockdown of the phone
• Stealing pictures from the device
• Self-destruction and removal

TrickBot — a continuously updated banking malware

TrickBot is a modular banking malware continuously upgraded by its authors with new capabilities and modules since October 2016 when it was first spotted in the wild.

Although the first detected variants only came with banking Trojan capabilities used for harvesting and exfiltrating sensitive data, TrickBot has now evolved into a popular malware dropper that will infect compromised systems with other, some times more dangerous, malware strains.

TrickBot can deliver other malware as part of multi-stage attacks, Ryuk ransomware being one of the most notable ones, most likely after all useful information has been already collected and stolen.

The malware is also especially dangerous as it can propagate throughout enterprise networks and, if it gains admin access to a domain controller, it can steal the Active Directory database to obtain other network credentials.

Related Articles:

Android malware "FakeCall" now reroutes bank calls to attackers

Over 200 malicious apps on Google Play downloaded millions of times

New Google Pixel AI feature analyzes phone conversations for scams

Russia targets Ukrainian conscripts with Windows, Android malware

TrickMo malware steals Android PINs using fake lock screen