The operators of the TrickBot banking malware have developed an Android app that can bypass some of the two-factor authentication (2FA) solutions employed by banks.
This Android app, which security researchers from IBM have named TrickMo, works by intercepting one-time (OTP) codes banks send to users via SMS or push notifications.
TrickMo collects and then sends the codes to the TrickBot gang's backend servers, allowing the crooks to bypass logins or authorize fraudulent transactions.
TRICKMO CURRENTLY ACTIVE ONLY IN GERMANY
According to a report published today by IBM*, only users that have been previously infected with the (Windows) desktop version of the TrickBot malware are exposed to these attacks.
*
TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany
Furthermore, the TrickMo is not broadly used in the wild.
Currently, it's only deployed against German users, primarily because German banks have a broader deployment of OTP protections, and Germany has always served as a testing ground for new TrickBot features.
HOW A TRICKMO INFECTION WORKS
In reality, this app -- currently posing as Avast's mobile antivirus -- contains the TrickMo malware inside its source code.
Once the
user installs this fake Avast antivirus, the app asks victims for access to the accessibility service. This is an important step because Android's accessibility service is one of the mobile operating system's most powerful features.
The TrickMo malware abuses this service to its full advantage, and uses it to interact with the victim's Android device without any user interaction -- by taking its own screen taps.
This way, TrickMo sets itself as the default SMS app.