More advanced anti-detection capabilities have been integrated into an updated iteration of the TrickMo Android banking trojan, which is believed to have been developed by the TrickBot cybercrime operation, The Hacker News reports.
Attacks involved the utilization of a fraudulent Google Chrome app, which when installed triggers a prompt for updating Google Play Services and eventually downloads TrickMo as "Google Services" before seeking the approval of accessibility permissions, according to an analysis from Cleafy. TrickMo would then leverage escalated permissions to facilitate SMS interception, authentication code concealment, and credential-stealing HTML overlay attacks, said Cleafy researchers, who noted that both the dropper app and TrickMo have been using malformed ZIP files and JSONPacker to ensure stealth. Further analysis revealed that TrickMo's command-and-control server had misconfigurations that exposed 12 GB of stolen device information, as well as phony bank and crypto login pages used in overlay attacks, which other threat actors could use for identity theft and online account breaches.