How to eliminate TrickMo from infected Android devices
Written by Tomas Meskauskas on (updated)
What kind of malware is TrickMo?
The TrickMo banking Trojan, initially spotted in 2019, has resurfaced with enhanced features in 2023. The latest version uses JsonPacker for code concealment and introduces 45 commands, including screen content theft and overlay attacks for credential harvesting. Victims should remove this malware from infected Android devices immediately.
Overlay attacks
Similarly to numerous other well-known banking Trojans, TrickMo utilizes the Accessibility Service to conduct its malicious activities. Upon installation, the malware prompts users to authorize Accessibility permissions, which it exploits to autonomously obtain additional permissions and execute activities associated with the banking Trojan.
TrickMo operates discreetly by establishing a connection with the C&C server in the background. It transmits diverse data, such as a list of installed apps, locale, device information, Accessibility status, permission status, and other details pertinent to TrickMo.
The malware first collects the package names of installed applications to pinpoint the target. Once the target is identified, the malware receives a command along with the package ID and an overlay URL. Subsequently, the malware creates an HTML file on the infected device using the package ID, saving the content from the specified overlay URL into this file.
The malware employs overlay attacks to deceive users of specific financial and cryptocurrency-related applications. By targeting apps like PayPal, MetaMask, and various banking services, the malware generates fake screens, or overlays, that mimic the login pages of these legitimate applications.
Once a user opens one of these apps, the malware activates and displays its deceptive overlay, capturing any sensitive information entered by the user, such as usernames and passwords. This stolen data is then transmitted to the cybercriminals behind the malware.
The targeted app list encompasses a broad range, including cryptocurrency wallets like MetaMask and Blockchain.com, financial services such as PayPal and Skrill, and numerous banking apps like HSBC, Lloyds Bank, and ING. Also, TrickMo targets Facebook, Netflix, AliExpress, Uber, Gmail, and other services.
Clicker functionality
Furthermore, TrickMo has a file called clicker.json inside its package. This file lists the names of apps it can interact with, along with specific rules on what actions to perform. Using the Accessibility Service, TrickMo follows the instructions in the clicker.json file. It can secretly carry out activities on the device, like clicking buttons or performing actions in apps, without the user knowing.
Screen recorder
The updated TrickMo now watches which apps are running, keeps track of what the user does, and saves this information in a text file. This collected data is then compressed into a zip file and sent to the bad actors controlling the malware.
Additionally, if the malware receives a specific command along with particular app names, it includes these apps in a list for recording. Afterward, it turns on the recording function, making the malware start capturing everything the user does in those chosen apps.
Commands
TrickMo exhibits a wide array of capabilities through the diverse commands it can receive. The malware can stealthily execute actions such as taking screenshots, collecting SMS messages, and sending unauthorized text messages from the infected device.
Additionally, TrickMo can manipulate device settings, disable notifications, and simulate user interactions by pressing buttons, unlocking the screen, or opening various application settings. Furthermore, the Trojan is adept at harvesting sensitive information by collecting call logs, capturing photos and videos, and even initiating USSD service calls.
Also, TrickMo can update itself, uninstall, modify its own configuration files, and more.
Name | TrickMo Android malware |
Threat Type | Android malware, malicious application |
Detection Names | Avast-Mobile (Android:Evo-gen [Trj]), Combo Cleaner (Android.Trojan.Banker.WJ), ESET-NOD32 (A Variant Of Android/TrojanDropper.Agent.LWC), Kaspersky (HEUR:Trojan-Dropper.AndroidOS.Hqwar.hs), Full List (VirusTotal) |
Symptoms | The device is running slow, system settings are modified without user's permission, questionable applications appear, data and battery usage is increased significantly, browsers redirect to questionable websites, intrusive advertisements are delivered. |
Distribution methods | Fake applications, infected email attachments, malicious online advertisements, social engineering, scam websites. |
Damage | Stolen personal information (private messages, logins/passwords, etc.), decreased device performance, battery is drained quickly, decreased Internet speed, huge data losses, monetary losses, stolen identity. |
Malware Removal (Android) | To eliminate possible malware infections, scan your mobile device with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
Conclusion
In conclusion, TrickMo represents a highly adaptable and sophisticated banking Trojan with diverse capabilities. Its evolution over time, coupled with the ability to receive and execute numerous commands, underscores its resilience and continual efforts to stay ahead of security measures.
From overlay attacks targeting sensitive information to manipulating device settings and engaging in crypto-related activities, TrickMo poses a persistent and multifaceted threat, emphasizing the importance of ongoing vigilance and advanced cybersecurity measures to safeguard against its malicious endeavors.
How did TrickMo infiltrate my device?
Cybercriminals have been observed distributing TrickMo by disguising it as a free movie-streaming app called OnStream and a widely used web browser, Google Chrome. However, the exact distribution method is undefined.
TrickMo may be disguised as legitimate applications in third-party app stores. Unsuspecting users who download and install these fake apps could unknowingly infect their devices with the malware. Also, Cybercriminals may create fraudulent websites or compromise legitimate ones to distribute TrickMo. Users might unknowingly download the malware when visiting these sites or clicking on malicious content.
Additionally, TrickMo could be disseminated through emails or messages (SMS) containing malicious attachments or links and vulnerabilities in software or operating systems.
How to avoid installation of malware?
It is advisable to exclusively install software from authorized app stores like the Play Store or the iOS App Store to ensure the legitimacy and security of applications. Employing reputable antivirus software is also highly recommended for devices. Also, users should exercise caution when opening links received via SMS or emails on their mobile devices.
For Android users, enabling Google Play Protect is crucial for an added layer of security. Furthermore, users are advised to scrutinize the permissions granted to applications and regularly update their devices, operating systems, and applications to mitigate potential vulnerabilities.
Examples of HTML overlay injection pages crafted for diverse target applications: (source: cyble.com):
Update November 6, 2024: Recently, a new version of TrickMo has been identified. It now has the ability to steal one-time passwords and PINs. One-time passwords (OTPs) are temporary, single-use codes sent to users to verify their identity during login or transactions. TrickMo can intercept these passwords.
The malware can now display a fake unlock screen that looks like the real Android prompt, designed to steal the user's PIN or unlock pattern. This fake screen is an HTML page hosted on an external site and shown in full-screen mode, making it appear legitimate.
When the victim enters their PIN or pattern, the details, along with the device's unique Android ID, are sent to a remote server. Stealing the PIN allows attackers to unlock the device later and perform fraudulent activities when it is not being watched.
Screenshot of the fake unlock screen displayed by TrickMo (source: zimperium.com):
Quick menu:
- Introduction
- How to delete browsing history from the Chrome web browser?
- How to disable browser notifications in the Chrome web browser?
- How to reset the Chrome web browser?
- How to delete browsing history from the Firefox web browser?
- How to disable browser notifications in the Firefox web browser?
- How to reset the Firefox web browser?
- How to uninstall potentially unwanted and/or malicious applications?
- How to boot the Android device in "Safe Mode"?
- How to check the battery usage of various applications?
- How to check the data usage of various applications?
- How to install the latest software updates?
- How to reset the system to its default state?
- How to disable applications that have administrator privileges?
Delete browsing history from the Chrome web browser:
Tap the "Menu" button (three dots on the right-upper corner of the screen) and select "History" in the opened dropdown menu.
Tap "Clear browsing data", select "ADVANCED" tab, choose the time range and data types you want to delete and tap "Clear data".
Disable browser notifications in the Chrome web browser:
Tap the "Menu" button (three dots on the right-upper corner of the screen) and select "Settings" in the opened dropdown menu.
Scroll down until you see "Site settings" option and tap it. Scroll down until you see "Notifications" option and tap it.
Find the websites that deliver browser notifications, tap on them and click "Clear & reset". This will remove permissions granted for these websites to deliver notifications. However, once you visit the same site again, it may ask for a permission again. You can choose whether to give these permissions or not (if you choose to decline the website will go to "Blocked" section and will no longer ask you for the permission).
Reset the Chrome web browser:
Go to "Settings", scroll down until you see "Apps" and tap it.
Scroll down until you find "Chrome" application, select it and tap "Storage" option.
Tap "MANAGE STORAGE", then "CLEAR ALL DATA" and confirm the action by taping "OK". Note that resetting the browser will eliminate all data stored within. This means that all saved logins/passwords, browsing history, non-default settings and other data will be deleted. You will also have to re-login into all websites as well.
Delete browsing history from the Firefox web browser:
Tap the "Menu" button (three dots on the right-upper corner of the screen) and select "History" in the opened dropdown menu.
Scroll down until you see "Clear private data" and tap it. Select data types you want to remove and tap "CLEAR DATA".
Disable browser notifications in the Firefox web browser:
Visit the website that is delivering browser notifications, tap the icon displayed on the left of URL bar (the icon will not necessarily be a "Lock") and select "Edit Site Settings".
In the opened pop-up opt-in the "Notifications" option and tap "CLEAR".
Reset the Firefox web browser:
Go to "Settings", scroll down until you see "Apps" and tap it.
Scroll down until you find "Firefox" application, select it and tap "Storage" option.
Tap "CLEAR DATA" and confirm the action by taping "DELETE". Note that resetting the browser will eliminate all data stored within. This means that all saved logins/passwords, browsing history, non-default settings and other data will be deleted. You will also have to re-login into all websites as well.
Uninstall potentially unwanted and/or malicious applications:
Go to "Settings", scroll down until you see "Apps" and tap it.
Scroll down until you see a potentially unwanted and/or malicious application, select it and tap "Uninstall". If, for some reason, you are unable to remove the selected app (e.g., you are prompted with an error message), you should try using the "Safe Mode".
Boot the Android device in "Safe Mode":
The "Safe Mode" in Android operating system temporarily disables all third-party applications from running. Using this mode is a good way to diagnose and solve various issues (e.g., remove malicious applications that prevent users you from doing so when the device is running "normally").
Push the "Power" button and hold it until you see the "Power off" screen. Tap the "Power off" icon and hold it. After a few seconds the "Safe Mode" option will appear and you'll be able run it by restarting the device.
Check the battery usage of various applications:
Go to "Settings", scroll down until you see "Device maintenance" and tap it.
Tap "Battery" and check the usage of each application. Legitimate/genuine applications are designed to use as low energy as possible in order to provide the best user experience and to save power. Therefore, high battery usage may indicate that the application is malicious.
Check the data usage of various applications:
Go to "Settings", scroll down until you see "Connections" and tap it.
Scroll down until you see "Data usage" and select this option. As with battery, legitimate/genuine applications are designed to minimize data usage as much as possible. This means that huge data usage may indicate presence of malicious application. Note that some malicious applications might be designed to operate when the device is connected to wireless network only. For this reason, you should check both Mobile and Wi-Fi data usage.
If you find an application that uses a lot of data even though you never use it, then we strongly advise you to uninstall it as soon as possible.
Install the latest software updates:
Keeping the software up-to-date is a good practice when it comes to device safety. The device manufacturers are continually releasing various security patches and Android updates in order to fix errors and bugs that can be abused by cyber criminals. An outdated system is way more vulnerable, which is why you should always be sure that your device's software is up-to-date.
Go to "Settings", scroll down until you see "Software update" and tap it.
Tap "Download updates manually" and check if there are any updates available. If so, install them immediately. We also recommend to enable the "Download updates automatically" option - it will enable the system to notify you once an update is released and/or install it automatically.
Reset the system to its default state:
Performing a "Factory Reset" is a good way to remove all unwanted applications, restore system's settings to default and clean the device in general. However, you must keep in mind that all data within the device will be deleted, including photos, video/audio files, phone numbers (stored within the device, not the SIM card), SMS messages, and so forth. In other words, the device will be restored to its primal state.
You can also restore the basic system settings and/or simply network settings as well.
Go to "Settings", scroll down until you see "About phone" and tap it.
Scroll down until you see "Reset" and tap it. Now choose the action you want to perform:
"Reset settings" - restore all system settings to default;
"Reset network settings" - restore all network-related settings to default;
"Factory data reset" - reset the entire system and completely delete all stored data;
Disable applications that have administrator privileges:
If a malicious application gets administrator-level privileges it can seriously damage the system. To keep the device as safe as possible you should always check what apps have such privileges and disable the ones that shouldn't.
Go to "Settings", scroll down until you see "Lock screen and security" and tap it.
Scroll down until you see "Other security settings", tap it and then tap "Device admin apps".
Identify applications that should not have administrator privileges, tap them and then tap "DEACTIVATE".
Frequently Asked Questions (FAQ)
My device is infected with TrickMo malware, should I format my storage device to get rid of it?
Formatting your storage device will remove the TrickMo malware, but it is recommended to use reputable security software like Combo Cleaner to ensure a thorough and safe removal process. Formatting should be considered as a last resort, as it will erase all data on the device.
What are the biggest issues that malware can cause?
Malware can lead to data theft, financial loss, system damage, data loss, and compromise overall cybersecurity.
What is the purpose of TrickMo malware?
The primary purpose of TrickMo malware is to engage in financial fraud by stealing sensitive banking information and credentials from users. This includes employing techniques like overlay attacks, screen content theft, and advanced functionalities to compromise targeted applications and harvest valuable financial data for illicit activities.
How did TrickMo infiltrate my device?
The specific method of TrickMo infiltration can vary, but common avenues include emails, messages (SMS), malicious websites, social media platforms, third-party app stores, or exploiting vulnerabilities in software.
Will Combo Cleaner protect me from malware?
Combo Cleaner is a reputable antivirus and security tool designed to protect against various types of malware, including viruses, adware, and ransomware. It will scan your device and remove malware. It is advisable to run a full system scan to detect malware that may be hidding deep in the system.
▼ Show Discussion