The operators of the TrickBot banking malware have developed an Android app that can bypass some of the two-factor authentication (2FA) solutions employed by banks.

This Android app, which security researchers from IBM have named TrickMo, works by intercepting one-time (OTP) codes banks send to users via SMS or push notifications.

TrickMo collects and then sends the codes to the TrickBot gang's backend servers, allowing the crooks to bypass logins or authorize fraudulent transactions.

TrickMo currently active only in Germany

According to a report published today by IBM, only users that have been previously infected with the (Windows) desktop version of the TrickBot malware are exposed to these attacks.

Furthermore, the TrickMo is not broadly used in the wild. Currently, it's only deployed against German users, primarily because German banks have a broader deployment of OTP protections, and Germany has always served as a testing ground for new TrickBot features.

The TrickMo app was first seen in the wild in September 2019, when it was first spotted by Germany's CERT team.

⚠️ Aufgepasst beim #Online #Banking:#Emotet lädt #Trickbot nach. Auf infizierten PCs blendet Trickbot beim Online-Banking eine Abfrage nach der Mobiltelefonnummer und des Gerätetyps ein und fordert Nutzer anschließend zur Installation einer angeblichen Sicherheits-App auf. pic.twitter.com/QHfmYojZxK — CERT-Bund (@certbund) September 20, 2019

The distribution of the TrickMo malware relies on TrickBot's "web inject" feature -- the ability to inject content inside an infected user's web browser.

How a TrickMo infection works

Per IBM, when TrickBot detects that the user is accessing the web portals of certain banks, the malware creates a web page where it lures the user into downloading and installing a security app that "protects their accounts."

In reality, this app -- currently posing as Avast's mobile antivirus -- contains the TrickMo malware inside its source code.

Once the user installs this fake Avast antivirus, the app asks victims for access to the accessibility service. This is an important step because Android's accessibility service is one of the mobile operating system's most powerful features.

Initially developed by Google for the benefit of users with disabilities, the accessibilit service nowadays has almost near full control over a device and all of its features.

The TrickMo malware abuses this service to its full advantage, and uses it to interact with the victim's Android device without any user interaction -- by taking its own screen taps.

This way, TrickMo sets itself as the default SMS app. This allows it to intercept any SMS messages that arrive on the device, such as those sent by German banks and which contain OTP codes for login or transaction authorizations (called mTAN codes, for mobile transaction authorization number).

But that's not all. In case banks have upgraded their systems away from using SMS OTPs, TrickMo can also intercept OTP codes sent as push notifications.

Push-based OTPs, also called pushTANs, are one-time codes sent to the bank's app running on the account owner's device.

Because it can't simply extract the code from another app (Android restricts apps from accessing other app's data), TrickMo uses the fully-authoritative accessibility service to record the app's screen and send the recording back to its backend. Crooks later extract the OTP code when they need it to bypass logins and transaction authorizations.

Other TrickMo features

But according to Pavel Asinovsky, a malware researcher for the IBM X-Force security team, TrickMo has many more other features besides OTP collection capabilities.

For example, the TrickMo Android trojan also collects details about a device, which it sends back to the TrickBot gang as a "fingerprint."

This fingerprint will play a major role down the line, as the TrickBot gang will reproduce each user's mobile fingerprint when carrying out a fraudulent transaction, giving the bank the impression the operation took place from a user's legitimate device.

Further, the TrickMo trojan also comes with a "screen locking" capability. However, this is not used for ransomware purposes. Instead, the TrickMo trojan uses the screen lock to hide its nefarious activities from the user's eyes. More precisely, the TrickMo trojan uses a fake Android update fullscreen message to disguise all its OTP-stealing operations.

And last but not least, the trojan also comes with a self-destruct function, which IBM believes operators use after they've emptied an account and want to remove any evidence of their presence on a device.

Not the first of its kind

But while TrickMo might seem like a game-changer, it is not, and the TrickBot gang is just following the tactics employed by other malware gangs in the past.

In fact, the TrickMo name that IBM researchers assigned to TrickBot's Android app is a direct reference to ZitMo, an Android app developed by the Zeus (Windows desktop) malware gang in 2011, which was also deployed in a similar fashion to bypass 2FA for protected bank accounts.

Seeing a desktop trojan gang develop an accompanying Android app is both strange and rare.

This is because most of today's Android banking trojans now support similar features for intercepting 2FA SMS messages, and you often don't need a desktop trojan when you can easily operate on mobile devices alone.

But what is also of note here is that TrickMo was developed by TrickBot, one of today's biggest malware operations.

TrickBot initially started out as a banking trojan in the mid-2010s, but later evolved into a Cybercrime-as-a-Service (CaaS) operation that primarily makes its money by allowing other gangs to deploy second-stage malware payloads on TrickBot-infected hosts.

TrickMo's mere existence suggests the TrickBot gang is still investing and interested in banking fraud, despite TrickBot's very successful CaaS operation, which has been one of the main channels of deploying ransomware on enterprise networks over the past two years and has even been used by some nation-state hacking groups.