BleepingComputer reports that Android PINs have been targeted for exfiltration by some of the 40 newly discovered TrickMo Android banking trojan variants, which have one-time password interception, data and credential theft, screen recording, accessibility service exploitation, and automated permission granting capabilities.
Fake unlock screens have been utilized by the novel TrickMo variants to compromise Android users' unlock patterns or PINs, a Zimperium analysis showed. "When the user enters their unlock pattern or PIN, the page transmits the captured PIN or pattern details, along with a unique device identifier (the Android ID) to a PHP script," said Zimperium. Additional findings revealed that TrickMo has already compromised at least 13,000 individuals around the world, most of whom were in Canada, although the total number of victims could still be underestimated. "Our analysis revealed that the IP list file is regularly updated whenever the malware successfully exfiltrates credentials. We discovered millions of records within these files, indicating the extensive number of compromised devices and the substantial amount of sensitive data accessed by the Threat Actor," Zimperium added.